Hi everybody!
I’m in the process of writing out a CMS system for a friend’s website, and I’ve got to the point where I’ll be deploying it.
Of course, I want it to be as secure as reasonably possible. Is there a security checklist online so I can go through the code and tick off as many possible problems as I can?
Thanks 
[ot]Go ahead 
I was just back reading this thread and thought I would point out that he’s a SitePoint member. :)[/ot]
I’ll start off with some points
There’s a couple of php books on this topic.
Good points.
check this out: http://mysql-apache-php.com/basic-linux-security.htm
Read Eric Schiflett’s book, “Essential PHP Security”. short read, to the point, and worth it!
There’s also a php architect’s guide to php security.
No.
Use PDO and prepared statements. http://fr.php.net/manual/en/book.pdo.php
To escape inputs, use the filter functions : http://fr.php.net/manual/en/ref.filter.php
With a few exceptions, you should assume any predefined variable or value is dirty. Even a lot of the stuff in $_SERVER.
What do you have to do to “prevent session hijacking”?
And what technique do you use for form tokens?
Always keep in mind what character set your data is in and use the proper methods to deal with it (e.g. always specify the correct charset when using [fphp]htmlentities[/fphp]) otherwise you might end up with security problems even though you’re “escaping.”
Start over.
Seriously, though. You should be thinking “How do I make this secure?” before the first line of code is written, not when you’re getting ready to push to production. That’s why there are so many insecure programs on the market today (and PHP is notoriously bad for hosting many of them).
And there is much more.
I assume you mean Chris Shiflett? But yes, that book’s very good.
I agree in principal, but 5 times is not enough for a regular person. You can raise that to 10 or even 50, and still combat brute force.
I only chime in with this because I always forget which email address, user name or password I used for a particular site… sometimes I have to guess more than 5 times… and I HATE getting my account locked. 
To the OP, if you even have to ask this question - do yourself a favor and get one of the good books mentioned above that cover the topic in detail. Seriously, you need an education that you won’t get from a few forum posts. Just trying to help.
Disable url_fopen if you don’t need it–most of the nastier exploits rely upon using url_fopen to download nefarious files from various sites. Not having the option can greatly limit damage.
I agree; If you really need to get content from some other website just use sockets. True it’s a little but more hassle, but so much safer!
The checklist I use is a book called “Essential PHP Security”, author - Chris Shiflett, publisher - O’Reilly.
Any other checklist you might find is either going to be wrong or will be a subset of what is in the book.
The XSS Cheat Sheet is a checklist for XSS (cross site scripting) exploits.
Note that even if you have no XSS exploits, you also need to check for CSRF (cross domain request forgery), login-CSRF, and even clickjacking, and that is just on the client side. Server-side you will need to check for SQL and command injection flaws, and all manner of other validation and filtering related vulnerabilities.
Essential PHP Security is quite dated, so I wouldn’t use that as a definitive checklist. For one, I don’t think it even mentions the danger of serving uploaded files inline. There are probably other things that it is missing.
I don’t know of any definite checklist though. Maybe I’ll start one.