The top ten applied to php:
http://www.sklar.com/page/article/owasp-top-ten
A Study in Scarlet:
http://www.securereality.com.au/studyinscarlet.txt
And of course read through the php and mysql manuals.
Are you using a database? The basics for securing the database are:
(1) Never allow your progam to connect as the root user. Create another user with only the minimum privileges required - and perhaps others (non-root) for admin level access. Keep the db conn scripts in an .htaccess protected folder (deny from all). If you can set a <directory> directive do that instead.
http://httpd.apache.org/docs-2.0/howto/htaccess.html
(2) Always properly escape strings in db queries - mysql_escape_string, or addslashes.
(3) Always quote vars in queries eg:
Code: Select all
"SELECT col1, col2 FROM table WHERE col1='$var'"
If you expect the var to be an integer, and it originates from GPC input, it might not be an integer at all. An intval($var) strips out any text. I'd recommend always quoting it as well: not strictly required after an intval() but it's another layer of protection if you slip up one day and forget to force type.
I think one of those tutorials covers error reporting - if not, the rule is turn it down as far as possible on a live site so that an attacker cannot glean any useful information. (But always develop locally with the maximum E_ALL).