Chris Shiflett wrote: > Jean-Christian Imbeault wrote: >> In general how does one go about hardening a PHP script. i.e. making >> it as "hacker-proof" as possible
There is no such thing as a 100% secure solution (this applies to everything running on a computer, PHP included). But basically you can make it pretty secure. Then again, quite a lot depends on what you are going to write. Govt/Banks need much more defense than a small/midsized commercial site (and are capable to pay for it). You can basically be happy with some care in you development, just make sure your customers do understand the amount of time this is going to take and are ready to pay for it. Then let them decide themselves, but if you see they choose a risky path in order to save budget money do write them a formal letter, in which you acknowledge the problem. Many customers do not think they need security until it's too late, then they get mad at you because they did not want to buy the extra time for secure coding. So make sure everyone knows what their responsibility are and make sure this is stated on paper. > 1. Never, ever trust data from the client That's it. If you leave Register_globals off you will be sure you get only what you need to get. Then, of course, you shall control data content. As I am sure you know yourself most of the trouble will come from uncorrect data input. You might actually write client-side javascript controls to avoid uncorrect input and then think that your data are clean. This is where most of the problems come from (as Chris points out, it's not difficult to post a form to your script after writing it at home, or just do a plain command line call with altered parameters from a user browser, I see that stuff on our customers logs quite often). So, no matter what you checked on the client, check it again on the server (even if you are not paranoid, some users may just have disabled their javascript, right?) > Basically, if you code very carefully and deliberately, you will create > a very secure application. Many people focus only on securing the > environment, but writing secure code is often much more important. Words of wisdom! and actually about 75% of the code you write is dedicated to this very job, if you really want to get a stable application. Alberto Kiev -- @-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@ LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu? lOrD i'M sHiNiNg... YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE tHe TeSt, YeS iT iS ThE tEsT, yEs It Is tHe TeSt, YeS iT iS ThE tEsT, yEs It Is....... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php