Code review advice sought!
Date: 12/29/05
(PHP Community) Keywords: php, html, security, web, linux, apache
Greetings all, new reader on the community here.
I'm one of the co-administrators of a small private co-op site, and we recently had our webserver hacked. :( We're still trying to figure out why, but there is some suspicion that PHP vulnerabilities might have been the vector of attack. As a result I am planning to upgrade to the latest and greatest version of PHP, but before we go live again with that, I want to review the PHP that runs on a few sites we host and make sure that I've taken care of as many holes as reasonably possible.
We run Debian Linux, and I've just upgraded us to Apache 2.0 as well. (We plan to upgrade to 2.2 as soon as we have a Debian package for that.) And I plan to put PHP 5.0.5 up off of backports.org.
The questions I would like to pose to the community are:
1) Since PHP 5.1.1 is not available in package form yet, are there any known big problems with 5.0 that might make it necessary for me to build 5.1.1 by hand?
2) I've been reading up in the Security chapter of the docs on php.net, as well as the SecurePHP wiki, and have come up with a list of things I know I'd like to look at. Can anyone recommend things besides these items that I ought to look at?
- Use .htaccess to control who gets to look at source code
- Take sensitive data, e.g., passwords, out of public web space
- Verify that register_globals is OFF
- Validate all user data
- Initialize variables
- Turn off magic quotes
- Use addslashes and stripslashes as needed
- Set expose_php = off in php.ini
- Log errors out to files not in public space rather than displaying them on the page
- Use $_POST, $_GET, $_COOKIE, and $_SESSION for global variables
- Use htmlspecialchars() for hidden form values
- For URL stuff, use both htmlspecialchars() AND urlencode(); the latter should be for specific variables in the URL, and the former for the entire URL
Thank you very much in advance for any pointers!
Source: http://www.livejournal.com/community/php/384514.html