Convert Microsoft to LINUX: PHP Security
One could right books on this subject. Let me start by giving a very basic overview.
Make sure the register_globals directive is disabled. This happens by default in PHP versions 4.2 and higher.
In the file /etc/php5/apache2/php.ini you should see the two lines below:
; register_globals to be on; Using form variables as globals can easily lead
register_globals = Off
Filter your data. Only allow a certain number of characters to be entered and
use string operators to search for unwanted input. Have all sub modules of the main php module be
accessed only by include statements. This way the sub modules are not directly exposed. When
you read data from the form, immediately save it in a local variable or local array. Make sure all
variables are intialized to null.
In the same php.ini turn error_reporting on by uncommenting this line:
;error_reporting = E_ALL & ~E_NOTICE | E_STRICT
You can always back off, if this is too
strict for you later.
Similar to previous turn on log_errors in php.ini file.
Use POST rather than GET in forms if possible.
The reason for this is, that with GET you can see in the URL
string what you are querying for which exposes your database
information. With POST nothing shows up in the URL. However,
both POST and GET send plain text over the network. To make
things stronger POST, but with a secure HTTPS login, like when
you buy a plane ticket.
Make the PHP files that log you on to the Database be in include files so they are not accessible from
the document root. Otherwise somebody could read them and get all your logon information.
Protect against sql injection attacks by quoting and escaping your MySQL
Protect against Session Fixation. If a session ID is not active, regenerate it. Have cookies time out after an
inactivity period of time.
Protect again Session Hijacking. We can do this by making sure the user-agent has not changed for a
given session ID. We can also perform additional random operations on the user-agent by concatenating a string
to it, getting the md5 checksum and using this as the fingerprint string that we check for authentication.
Protect against Exposed Session Data on a shared publicly paid for host. Note, that the /tmp directory
contains session ID's. It is better to store your own sessions ID's in a MySQL database which you control.
Use the session_set_save_handler() function to override PHP's default session handling with your own PHP functions.
This is based on the following