Chris Shiflett wrote:
> Jean-Christian Imbeault wrote:
>> In general how does one go about hardening a PHP script. i.e. making 
>> it as "hacker-proof" as possible

There is no such thing as a 100% secure solution (this applies to 
everything running on a computer, PHP included). But basically you can 
make it pretty secure. Then again, quite a lot depends on what you are 
going to write. Govt/Banks need much more defense than a small/midsized 
commercial site (and are capable to pay for it). You can basically be 
happy with some care in you development, just make sure your customers 
do understand the amount of time this is going to take and are ready to 
pay for it. Then let them decide themselves, but if you see they choose 
a risky path in order to save budget money do write them a formal 
letter, in which you acknowledge the problem. Many customers do not 
think they need security until it's too late, then they get mad at you 
because they did not want to buy the extra time for secure coding. So 
make sure everyone knows what their responsibility are and make sure 
this is stated on paper.

> 1. Never, ever trust data from the client

That's it. If you leave Register_globals off you will be sure you get 
only what you need to get. Then, of course, you shall control data 
content. As I am sure you know yourself most of the trouble will come 
from uncorrect data input.
You might actually write client-side javascript controls to avoid 
uncorrect input and then think that your data are clean. This is where 
most of the problems come from (as Chris points out, it's not difficult 
to post a form to your script after writing it at home, or just do a 
plain command line call with altered parameters from a user browser, I 
see that stuff on our customers logs quite often).
So, no matter what you checked on the client, check it again on the 
server (even if you are not paranoid, some users may just have disabled 
their javascript, right?)

> Basically, if you code very carefully and deliberately, you will create 
> a very secure application. Many people focus only on securing the 
> environment, but writing secure code is often much more important.

Words of wisdom! and actually about 75% of the code you write is 
dedicated to this very job, if you really want to get a stable application.




LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is.......

PHP General Mailing List (
To unsubscribe, visit:

Reply via email to