Chapter 28. Securing PHP

"Security is not a joking matter," proclaim signs at airports everywhere. The same sign should be posted near your PHP server. Anyone connecting a server to the Internet must take proper security measures or risk loss of data or even money to the keystrokes of malicious crackers.

The mantra of the security-conscious site designer is: Don't trust the network. If you're worried about the security of your site, chant this mantra as you code your pages. Any information transmitted to your server via the network — be it a URL, data from an HTML form, or data on some other network port — should be treated as potentially hazardous. This chapter suggests several techniques for sanitizing incoming information. You should apply these techniques and spend some time trying to discover other potential hazards and ways to prevent them.

The second rule of thumb for a secure site is: Minimize the damage. What if the program you just wrote, which you are sure is secure, is actually vulnerable? Just to be on the safe side, limit the damage an intruder can cause after he or she has taken advantage of the vulnerability.

When visitors come to your site, they trust that it contains valid information, that it is not harmful to them or to their computers, and that any information they provide to it is handled properly. Interacting with a site, whether an e-business, recreational, or informational site, involves certain security risks for a visitor. As ...

Get PHP6 and MySQL® 6 Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.