On Fri, Apr 8, 2011 at 3:24 PM, nighthawk1256 <er...@ns.sympatico.ca> wrote:
> hey guys/girls,
> whats the best way to learn about security in php?
Here are some relevant topics to consider:
- Validate input (only accept what you're expecting, via GET, POST, and
COOKIE, and don't try to fix an invalid value, throw it out.)
- Use prepared statements (PDO makes this easy and generalizes quite well
across popular DB's.)
- Only give the bare minimum permissions required to accomplish a task
(e.g., I usually have one SQL user account for reads, and one that allows
for reads and writes.)
- When errors occur, don't leak important system information to your
- Hash passwords (with a salt) that are stored so you're never storing
the literal value.
- If you use an authentication system that's implemented with cookies
(sessions-based or custom), all requests should run over https instead of
- Escape output according to context (html, attribute, or url.)
If you google the above topics, you'll find some great sites/blogs that
address these topics in detail.
P.S. - Or, you can just use my one-file web framework which helps you
automatically address all but the https issue above :) Sorry, it's a Friday
so I couldn't resist the shameless plug.
Nephtali: A simple, flexible, fast, and security-focused PHP framework