Security Tips for PHP

  • Disable allow_url_fopen in php.ini to prevent include
    directives to URLs. These can be manipulated for cross-site
    scripting or arbitrary command execution attacks.
  • Disable register_globals in php.ini. This prevents attackers
    from accessing PHP instructions or variables through the URL.
  • Use utf8_decode() to normalize input before it is filtered.
  • Use strip_tags() to prevent cross-site scripting and PHP
    command?injection attacks.
  • Use htmlspecialchars() to prevent cross-site scripting and
    SQL injection attacks.
  • Use addslashes() to prevent SQL injection attacks.
  • Use ?safe mode? as a final catch for errors, but do not rely on it
    for robust security.
  • Watch out for user-supplied data that tries to execute passthru().
  • PHP include files should have a .php suffix, not .inc. (This is the same recommendation for ASP include files.)
  • Never rely on session.referrer_check for security.
  • Use session_destroy to explicitly end the session when a user logs out of the application.


Comments are closed.