I'm about up to the intermediate php programming level but I til now I haven't really been concerned too much with security. I do my basic checks on forms for the data but thats about it.
I have all my mysql database calls/passwords in a seperate incudes folder that I include on each page.
Are there any security basics that are just a a good idea to use all the time?
thanks all!
How Secure is it Really?
Moderator: General Moderators
- Shut register globals off. Learn to use $_GET/$_POST etc etc.
- Don't store usernames and passwords in a text file
- Don't name your include files with a *.inc extension. Always make sure it has a .php extension. (ex: *.inc.php)
Here is a great article on PHP security:
http://www.zend.com/zend/art/art-oertli.php
Hope this at least gets you started
- Don't store usernames and passwords in a text file
- Don't name your include files with a *.inc extension. Always make sure it has a .php extension. (ex: *.inc.php)
Here is a great article on PHP security:
http://www.zend.com/zend/art/art-oertli.php
Hope this at least gets you started
- twigletmac
- Her Royal Site Adminness
- Posts: 5371
- Joined: Tue Apr 23, 2002 2:21 am
- Location: Essex, UK
-
daemorhedron
- Forum Commoner
- Posts: 52
- Joined: Tue Jul 23, 2002 11:03 am
Adding error_reporting(E_ALL); to your script is a good move too imho. While it has nothing directly to do with security, it will help you to identify all mistakes that can lead to security issues, or bugs in general. It can get annoying too though, I will admit, but since coding with it on, it's only helped me personally.
HTH! =)
HTH! =)
Like twigletmac said, use those arrays anyway. It will help you debug your code 6 months down the line, because you can tell where those variables are coming from.
However, with register globals on, using those arrays doesn't strenthen your security
<utopian>Perhaps you can convince your host to get with the program and shut off reg globs</utopian>
Turning on all error reporting is good for developmenet, but shut it off again when you load the gold code. Reason being, is that if something ever happens, and an error pops up, the error message might reveal something to a potential hacker he could use to compramise the system.
However, with register globals on, using those arrays doesn't strenthen your security
<utopian>Perhaps you can convince your host to get with the program and shut off reg globs</utopian>
Turning on all error reporting is good for developmenet, but shut it off again when you load the gold code. Reason being, is that if something ever happens, and an error pops up, the error message might reveal something to a potential hacker he could use to compramise the system.