Convert Microsoft to LINUX: PHP Security


One could right books on this subject. Let me start by giving a very basic overview.

  1. Make sure the register_globals directive is disabled. This happens by default in PHP versions 4.2 and higher. In the file /etc/php5/apache2/php.ini you should see the two lines below:
    ; register_globals to be on; Using form variables as globals can easily lead
    register_globals = Off
  2. Filter your data. Only allow a certain number of characters to be entered and use string operators to search for unwanted input. Have all sub modules of the main php module be accessed only by include statements. This way the sub modules are not directly exposed. When you read data from the form, immediately save it in a local variable or local array. Make sure all variables are intialized to null.
  3. In the same php.ini turn error_reporting on by uncommenting this line:
    ;error_reporting = E_ALL & ~E_NOTICE | E_STRICT
    You can always back off, if this is too strict for you later.
  4. Similar to previous turn on log_errors in php.ini file.
  5. Use POST rather than GET in forms if possible. The reason for this is, that with GET you can see in the URL string what you are querying for which exposes your database information. With POST nothing shows up in the URL. However, both POST and GET send plain text over the network. To make things stronger POST, but with a secure HTTPS login, like when you buy a plane ticket.
  6. Make the PHP files that log you on to the Database be in include files so they are not accessible from the document root. Otherwise somebody could read them and get all your logon information.
  7. Protect against sql injection attacks by quoting and escaping your MySQL query strings.
  8. Protect against Session Fixation. If a session ID is not active, regenerate it. Have cookies time out after an inactivity period of time.
  9. Protect again Session Hijacking. We can do this by making sure the user-agent has not changed for a given session ID. We can also perform additional random operations on the user-agent by concatenating a string to it, getting the md5 checksum and using this as the fingerprint string that we check for authentication.
  10. Protect against Exposed Session Data on a shared publicly paid for host. Note, that the /tmp directory contains session ID's. It is better to store your own sessions ID's in a MySQL database which you control. Use the session_set_save_handler() function to override PHP's default session handling with your own PHP functions.

This is based on the following article . Enjoy!