Talk:PHP Security Cheat Sheet

Revision as of 17:08, 4 July 2012 by Abbas Naderi (Talk | contribs)

Jump to: navigation, search



I'd suggest to remove the TOC when this sheet is close to be finished. Achim, 3-jul-2012


I'm (mis-)using the {{TBD: ...}} wiki syntax to mark texts and paragraphs "to be discussed". Achim, 3-jul-2012


I think your error configuration is not good. You have to set display_errors and display_startup_errors to On, otherwise it would be too hard to debug your code (yes you need debugging even on the server). The better practice, is to set to to On by default, and use a framework (a piece of code) to redirect that to a log for general user, and keep it on the screen for admins/developers. I've seen infinite developers set it to off, then set it to On for debugging, and leave it there.

Why the hell is file_uploads off? Are you one of those guys who believe everything should be off to provide a secure system? Also disabling functions and etc. its a very bad practice. This is only used in dull shared web hosting systems, and nobody gets their hosts.

Most usage of PHP is available source code (Wordpress, Joomla, MyBB, etc.) and they all use these abilities. What you're indicating just says "dont follow this cheat sheet", no offence!

We gotta discuss session handling, there's a lot of issues there.

Allow_url_fopen Off is not secure at all. my most recent paper lists 12 methods of converting and LFI to a RFI, if somehow has an LFI flaw in the code, url_fopen On or Off wont matter.

The memory and execution time limit defined there, is very bad practice. This limit kills the php script, and results in numerous errors which are extremely hard to debug. They do not mitigate DOS, you can simply run 10 scripts instead of 1. The optimum values are 32MB memory, 30 second execution time, with ability to extend it in user code.

Please get back to me on this, or my email at --Abbas Naderi PS. I really appreciate you working on this page, ignore my rude tone!