http://devzone.zend.com/ advancing the art of PHP. Best practices, samples, articles, news, and community for PHP 4, PHP 5, and beyond. Tue, 10 Apr 2007 17:40:41 +0000 Tue, 10 Apr 2007 17:40:41 +0000 http://devzone.zend.com/public/view/tag/security_tips/format/rss2.0 en-us http://devzone.zend.com/ http://devzone.zend.com/images/devzone_logo4.gif Tue, 10 Apr 2007 17:40:41 +0000 SQL injections are a common vulnerability in web-based applications that use databases. As an example of a potential SQL injection, consider a login form asking only for a username, where the backend has code reading: mysql_query('SELECT * FROM user WHERE username = "' . $_GET['username'] . '"); A malicious hacker could attempt to enter the value ""; DELETE FROM user WHERE 1" , which would have the effect of removing all users in the table. (Granted, this won't happen with PHP's mysql extension as it will not execute multiple queries by default; this is just an illustration.) http://devzone.zend.com/article/1918-Security-Tip-Use-a-Database-Abstraction-Layer-to-help-prevent-SQL-Injection http://devzone.zend.com/article/1918-Security-Tip-Use-a-Database-Abstraction-Layer-to-help-prevent-SQL-Injection Mon, 02 Apr 2007 13:24:46 +0000 Today’s PHP security tip is short, sweet and easily actionable. It fits in well with the theme of the last one, to stay vigilant. Here’s another resource for you to consider. http://devzone.zend.com/article/1882-PHP-Security-Tip-21- http://devzone.zend.com/article/1882-PHP-Security-Tip-21- Fri, 30 Mar 2007 13:42:05 +0000 To paraphrase an American Patriot “The price of security is eternal vigilance”. You have to keep watch over your system but you also have to keep learning. http://devzone.zend.com/article/1877-PHP-Security-Tip-20 http://devzone.zend.com/article/1877-PHP-Security-Tip-20 Thu, 29 Mar 2007 13:36:13 +0000 Sometimes, the best application security you can install is simply disconnecting the network cable from your server. http://devzone.zend.com/article/1871-PHP-Security-Tip-19 http://devzone.zend.com/article/1871-PHP-Security-Tip-19 Wed, 28 Mar 2007 13:29:23 +0000 When you allow users to upload files, your system may be at risk. Handle file upload scripts with care. Without proper security precautions, you can leave a gaping hole in your system. http://devzone.zend.com/article/1867-PHP-Security-Tip-18 http://devzone.zend.com/article/1867-PHP-Security-Tip-18 Tue, 27 Mar 2007 14:13:30 +0000 Application security should not be a "when all else fails" situation. It's not something you can "put in later". As we've mentioned before, there is no single silver bullet to solve your application security issues. Security is something that should be rolling around in the back of your dead in the design phase, the coding phase, the testing phase, even after you've rolled your code into production. http://devzone.zend.com/article/1866-PHP-Security-Tip-17 http://devzone.zend.com/article/1866-PHP-Security-Tip-17 Mon, 26 Mar 2007 13:41:48 +0000 This idea was originally posted as a comment to a previous PHP Security Tip. I believe that this is an important issue, and worth being a tip itself. http://devzone.zend.com/article/1857-PHP-Security-Tip-16 http://devzone.zend.com/article/1857-PHP-Security-Tip-16 Fri, 23 Mar 2007 11:59:34 +0000 As developers, most of us are very messy. I’ve worked on countless projects and at each either run across or left a trail of diagnostic files laying around. http://devzone.zend.com/article/1849-PHP-Security-Tip-15 http://devzone.zend.com/article/1849-PHP-Security-Tip-15 Wed, 21 Mar 2007 14:25:02 +0000 Almost any application running PHP on the back-end uses web technologies for it’s front end. Many developers who think hard on PHP security, don’t spend a thought on front-end security for their application. Here’s a tip to think long and hard about when building your HTML and JavaScript. http://devzone.zend.com/article/1842-PHP-Security-Tip-14 http://devzone.zend.com/article/1842-PHP-Security-Tip-14 Tue, 20 Mar 2007 12:43:44 +0000 Security is a mindset, not just something you do. It colors your application design as well as your coding. However, you also need to constantly monitor your production environment. That’s where selecting the right tool comes into play. http://devzone.zend.com/article/1833-PHP-Security-Tip-13 http://devzone.zend.com/article/1833-PHP-Security-Tip-13 Fri, 16 Mar 2007 13:46:09 +0000 We’ve talked about filtering, we’ve talked about validating, we’ve talked about filtering again. Filtering inputs into your application is an important concept and the pre-cursor to many good security practices. However, once you have the input filtered and validated you can’t simply sit back and relax. You have to stay vigilant when programming to ensure security throughout your application. http://devzone.zend.com/article/1821-PHP-Security-Tip-12 http://devzone.zend.com/article/1821-PHP-Security-Tip-12 Thu, 15 Mar 2007 16:59:01 +0000 I think we can all agree that users are at once the boon and the bane of our applications. On the one hand, if it weren’t for users, we wouldn’t have security problems. On the other hand, if we didn’t have users, we wouldn’t need the application to begin with. So we can all agree with the fact that in most cases, users aren’t going away. http://devzone.zend.com/article/1817-PHP-Security-Tip-11 http://devzone.zend.com/article/1817-PHP-Security-Tip-11 Wed, 14 Mar 2007 19:30:57 +0000 Even when doing everything correctly, it’s still possible to build PHP applications that are insecure. Security requires constant vigilance. One thing you always have to keep your eye on is any script or form that sends an email based on use input. http://devzone.zend.com/article/1815-PHP-Security-Tip-10 http://devzone.zend.com/article/1815-PHP-Security-Tip-10 Tue, 13 Mar 2007 14:44:54 +0000 Sometimes it’s the simplest ideas that are the most powerful. This one sounds simple but I’m always surprised at how few people understand and actually implement this idea. http://devzone.zend.com/article/1807-PHP-Security-Tip-9 http://devzone.zend.com/article/1807-PHP-Security-Tip-9 Mon, 12 Mar 2007 13:57:02 +0000 Within PHP security topics, there is always more than one way to accomplish a task. Many times it’s by combining tactics that we achieve the best security. http://devzone.zend.com/article/1793-PHP-Security-Tip-8 http://devzone.zend.com/article/1793-PHP-Security-Tip-8 Fri, 09 Mar 2007 13:34:46 +0000 When using session_regenerate_id() to protect against session fixation it’s usually a good idea to remove the old session ID. http://devzone.zend.com/article/1786-PHP-Security-Tip-7 http://devzone.zend.com/article/1786-PHP-Security-Tip-7 Thu, 08 Mar 2007 18:37:04 +0000 The topic of writing secure applications in PHP covers more than just writing good PHP code. Most applications make use of a database of some kind. Many times, vulnerabilities that affect the entire application, are introduced when building the SQL code. http://devzone.zend.com/article/1778-PHP-Security-Tip-6 http://devzone.zend.com/article/1778-PHP-Security-Tip-6 Wed, 07 Mar 2007 13:46:41 +0000 PHP security is an ongoing mission requiring the programmer to think outside of the parameters of the application. It’s not enough these days to say in your mind “Does this do what I want it to do?” you also have to take into consideration “What else can people use it for and do I want to allow that?” http://devzone.zend.com/article/1767-PHP-Security-Tip-5 http://devzone.zend.com/article/1767-PHP-Security-Tip-5 Tue, 06 Mar 2007 14:46:00 +0000 “Security through obscurity is no security at all.” so the adage goes. However, the flip side of that coin is, obscurity, when used as part of an overall strategy, is a good thing. http://devzone.zend.com/article/1761-PHP-Security-Tip-4 http://devzone.zend.com/article/1761-PHP-Security-Tip-4 Mon, 05 Mar 2007 14:30:51 +0000 Being Security conscious is a good thing but that alone won’t solve the problem. Developers have to be vigilant when it comes to security. Even then you can’t do it alone. Today’s Security tip reminds you of this. http://devzone.zend.com/article/1754-PHP-Security-Tip-3 http://devzone.zend.com/article/1754-PHP-Security-Tip-3