PHP Security Cheat Sheet

= DRAFT CHEAT SHEET - WORK IN PROGRESS = = Introduction = This article is focused on providing PHP-specific guidance to securing web applications.

= PHP Security General Guidelines =

Input nput validation
Use $_dirty['foo'] = $_GET['foo'] and then $foo = validate_foo($dirty['foo']);

Consider using Stefan Esser's Hardened PHP patch - http://www.hardened-php.net/suhosin/index.html
(not maintained now, but the concepts are very powerful)

In terms of secure coding with PHP, do not use globals unless absolutely necessary
Check your php.ini to ensure register_globals is off Do not run at all with this setting enabled It's extremely dangerous (register_globals has been disabled since 5.0 / 2006, but .... most PHP 4 code needs it, so many hosters have it turned on)

Ensure allow_url_fopen and allow_url_include are both disabled to protect against RFI
But don't cause issues by using the pattern include $user_supplied_data or require "base" + $user_supplied_data - it's just unsafe as you can input /etc/passwd and PHP will try to include it

Avoid Eval
It basically allows arbitrary PHP code execution, so do not evaluate user supplied input. and if you're not doing that, you can just use PHP directly. eval is at least 10-100 times slower than native PHP

Be aware of PHP filters
These are transparent to you and you need to know about them. php://input: takes input from the console gzip: takes compressed input and might bypass input validation http://au2.php.net/manual/en/filters.php

= Related Cheat Sheets =

= Authors and Primary Editors =

Andrew van der Stock