Restri ct PHP Informati on Leakage To restrict PHP information leakage disable expose_php. Edit /etc/php.d/security.ini and set the following: expose_php=Off When enabled, expose_php reports to the world that PHP is installed on the server, which includes the PHP version within the HTTP header
Di sabling Dangerous PHP Functions You should disable dangerous functions you dont use Again, in /etc/php.d/security.ini, you can set: disable_functions =exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,pars e_ini_file,show_source
Li mi t PHP Access To Fi l e System In your php.ini, you can set: open_basedir="/var/www/html/"
Dont Show PHP Errors To The Cl ients ini_set('display_errors','0'); ini_set('display_startup_errors','0'); ini_set(' log_errors','1'); error_reporting(0);
Di sable PHPs Bad Features ini_set('register_globals', '0'); ini_set('magic_quotes_gpc', '0'); ini_set('magic_quotes_runtime', '0');
Protecting Against SQL Injection Using the real_escape_string function can protect against this
Keeping Your PHP Site Safe Graham Campbell Page 2 of 3 Input Sani tizing Prevent Errors And XSS Attacks Using preg_replace("/[^A-Za-z0-9 ]/", '', $string) can validate a string With integers, simply casting the input to an integer with the intval function can protect us The htmlentities and strip_tags functions can also be useful Making something safe to use in a URL can be done with the urlencode function
Use POST for Dangerous Actions URLs like http://example.com/process.php?action=delete&id=123 are usually a bad idea
Form Input Protection Never put any settings in hidden form fields, and expect them to not be exploited Also, dont expect html5 and/or javascript validation functions to be enough either these are good for saving server resources by not submitting invalid data, but you should always use a PHP function to check the inputs server side too
Uploading Fi les You should disable the upload feature in PHP if you are not using it If you do us it, never let people upload to areas of your server directly accessible via the web The best way is to store the uploaded file in a folder unavailable via a URL and have a file act as a proxy that grabs the uploaded file and forces an innocent extension
Header Forwards When redirecting a user with header('Location: example.php'), make sure you include an exit or die function immediately after to stop sensitive information being sent to the user
Cooki es Dont use cookies for important things like setcookie("admin", 1) this can be so easily exploited Sessions are much better for things like this
Keeping Your PHP Site Safe Graham Campbell Page 3 of 3 Sessions It is possible for sessions to be hijacked through XSS attacks with javascript, or through network sniffing on an http connection Preventing javascript XXS attacks can be done with ini_set(session.cookie_httponly, true) Preventing network sniffing can only be prevented by using and https connection, or by the user using a VPN You can try and prevent a session id being used from network sniffing by adding an additional layer of security, so if someone does nab the session id, they cant use it because their IP address is wrong: If(isset($_SESSION[last_ip]) === false){ $_SESSION[last_ip] = $_SERVER[REMOTE_ADDR]; } If ($_SESSION[last_ip] !== $_SERVER[REMOTE_ADDR]){ session_unset(); session_destroy(); }
Apache: Mod Securi ty It has a nice black list of rules that block some common exploit attempts: <IfModule mod_security.c> SecFilterEngine On SecFilterScanPOST On SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "select.+from </IfModule>