O'Reilly logo

Programming PHP, 3rd Edition by Peter MacIntyre, Kevin Tatroe, Rasmus Lerdorf

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Security Recap

Because security is such an important issue, we want to reiterate the main points of this chapter as well as add a few additional tips:

  • Filter input to be sure that all data you receive from remote sources is the data you expect. Remember, the stricter your filtering logic, the safer your application.

  • Escape output in a context-aware manner to be sure that your data isn’t misinterpreted by a remote system.

  • Always initialize your variables. This is especially important when the register_globals directive is enabled.

  • Disable register_globals, magic_quotes_gpc, and allow_url_fopen. See http://www.php.net for details on these directives.

  • Whenever you construct a filename, check the components with basename() and realpath().

  • Store includes outside of the document root. It is better to not name your included files with the .inc extension. Name them with a .php extension, or some other less obvious extension.

  • Always call session_regenerate_id() whenever a user’s privilege level changes.

  • Whenever you construct a filename from a user-supplied component, check the components with basename() and realpath().

  • Don’t create a file and then change its permissions. Instead, set umask() so that the file is created with the correct permissions.

  • Don’t use user-supplied data with eval(), preg_replace() with the /e option, or any of the system commands—exec(), system(), popen(), passthru(), and the backtick (`) operator.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required