I'm agrred with HMagnusson, the security topics never will be in the docs if starts in the wiki. And regarding to (at least) leave external links to such topics maybe about securing the web server, IMPO, it could not be viable for people that don't know the language where the external links are pointing.
I suggest such security topics and better practices to programming (as mentioned Ferenc: filtering/stripping html user input and mitigating that issues, etc) in php must be available in the docs for reading offline. Well, it is just my personal opinion and I would love too the idea to have that kind of documentation in the php manual. Kind regards, Edwin.- 2011/4/22 Hannes Magnusson <hannes.magnus...@gmail.com> > On Fri, Apr 22, 2011 at 10:52, Ferenc Kovacs <tyr...@gmail.com> wrote: > > > > > > On Fri, Apr 22, 2011 at 10:08 AM, Hannes Magnusson > > <hannes.magnus...@gmail.com> wrote: > >> > >> On Fri, Apr 22, 2011 at 09:40, Ferenc Kovacs <tyr...@gmail.com> wrote: > >> > Hi. > >> > there was a bug yesterday: > >> > http://bugs.php.net/bug.php?id=54584 > >> > which made me to realize that we don't have any documentation about > >> > security > >> > issues like XSS, CSRS, and stuff (the general OWASP Top Ten). > >> > I think that we should extend the current security documentation > >> > at http://php.net/manual/en/security.php and we should link this > section > >> > in > >> > the other part of the docs where it is relevant. > >> > For example the reserved variables section should link the security > >> > implications of the the user submitted data. > >> > Another thing that I would like to discuss: what should be the scope > of > >> > the > >> > security docs? > >> > My personal opinion is that we should have a complete documentation > >> > about > >> > the general web related and the php specific security issues and there > >> > mitigations. > >> > So it should contain everything from best practices for > >> > filtering/stripping > >> > html from user input, properly handling uploads, throught security > >> > related > >> > configuration options, securing the web server itself(or at least > >> > linking > >> > the relevant documentation from the vendors) like how to set up a an > >> > mod_php/fastcgi/php-fpm installation from the security POV, > chroot/jail, > >> > etc. > >> > I would happily contribute to such documentation, but first of all, I > >> > would > >> > like to know what do you think about it. > >> > Personally I would love the idea to have that kind of documentation in > >> > the > >> > php manual, because it would have the greatest audience, if that isn't > >> > viable, I would like to have a section in wiki.php.net, and link that > >> > from > >> > the docs. > >> > >> > >> I totally agree with you. > >> There was at some point discussion about merging the > >> http://phpsec.org/ doc into the manual, but I think that went nowhere > >> as those peeps didn't want to play ball. > >> The security section in our manual definitely needs improvements, and > >> should be linked from everything from sql execution functions to > >> superglobal docs. > >> > >> -Hannes > > > > What do you think about if we start a wiki page for brainstorming, > gathering > > the info about the topics need covering, maybe creating a Table of > Contents, > > then we can start moving that to the docs? > > It will never be moved into the docs if it starts in the wiki. > > I recommend you just go ahead and scratch the itch you have for some > of the topics and see what happens. > > -Hannes > -- Edwin Alexander Cartagena Hernandez. "Everything I can do through Christ" Phil 4:13. PHP Spanish Docs translator member. http://www.php.net/manual/es/index.php
