Posted by larry on 02/03/07 18:31

> Are there any well known and common mistakes, things that usually are
> not thought about? Any security related things that I should
> definitely not do? I know there is good literature out there about
> this topic and I have consulted some PHP books and websites. But no
> book can substitute an expert's experience.
>
> Any piece of advice is gladly appreciated!
> Thanks!
> Karl

First off is a bit of role=playing to make you more aware of potential
problems. Just second guess ANYTHING that is coming in from outside
your application, whether ity is GET, POST and how you handle it.

If you use referencing to web locations based GET and POST, those
could be used to divert content or your customers to bad places.

If you display GET POST data embedded PHP scripts could make your app
do things you don't want it to.

If you store GET POST data to a database, it could be maligned to
contain cammands to do thing to/with your database you did not expect.

Even if the data does not contain some obvious exploit, what if it is
bad (too big, small, ?) or of the wrong type verify for potential
problems there. (userrs doing some email shenanigans is another
factor too)

Modules that are added by include() or refernced by others sould be
examined to make sure they are not activated by unknown scripts
outside of youre web site.

Now if you share a web server you may also have the problem of bad
neighbors on the same server attempting to check out your session
data.

Transmitting sensitive data is another issue, if you are doing
anything with SSNs, credit cards, or other sensitive data use an SSL.

If you google for PHP security you can find lots of articles, read
many some offer better tips then otyhers.

[Back to original message]