On Fri, Apr 8, 2011 at 3:24 PM, nighthawk1256 <er...@ns.sympatico.ca> wrote:

> hey guys/girls,
> whats the best way to learn about security in php?

Here are some relevant topics to consider:

   - Validate input (only accept what you're expecting, via GET, POST, and
   COOKIE, and don't try to fix an invalid value, throw it out.)
   - Use prepared statements (PDO makes this easy and generalizes quite well
   across popular DB's.)
   - Only give the bare minimum permissions required to accomplish a task
   (e.g., I usually have one SQL user account for reads, and one that allows
   for reads and writes.)
   - When errors occur, don't leak important system information to your
   - Hash passwords (with a salt) that are stored so you're never storing
   the literal value.
   - If you use an authentication system that's implemented with cookies
   (sessions-based or custom), all requests should run over https instead of
   - Escape output according to context (html, attribute, or url.)

If you google the above topics, you'll find some great sites/blogs that
address these topics in detail.


P.S. - Or, you can just use my one-file web framework which helps you
automatically address all but the https issue above :) Sorry, it's a Friday
so I couldn't resist the shameless plug.

Nephtali:  A simple, flexible, fast, and security-focused PHP framework

Reply via email to