PHP/MySQL security--where to begin?

Question

I\'m a PHP/MySQL noob who knows nothing about online security.

Could you point me to some resources that will aid in my knowledge? (Beginner level, please!)

Answer 1

I'll suggest two things:

1. Make sure Register_globals is off.
2. Use prepared statements.

Answer 2

Chris Shiflett is the go-to guy on PHP programming and security:

• http://phpsecurity.org/ for his book "Essential PHP Security"
• http://shiflett.org/ for his website, blog, etc.
• He is Speaking at PHP CodeWorks in Sept/Oct.

Answer 3

This question is well-answered and covers MySQL injection attacks (one of the more common concerns. This question is also well documented and covers XSS (cross site scripting) attacks well.

Lastly, learn about PHP.INI and how to set it up and what is actually open/closed and on/off. A good host will, for example, never turn on register globals, but you should at least know what it is and why to check it. PHP Security has resources on that and many other PHP security concerns.

Answer 4

PHP might not be the best start. Especially if you're largely hand-rolling your own code. It doesn't exactly hold your hand with security issues. (fd: I wish PHP would go away for a variety of reasons.)

But some general rules:

• Don't trust anything that comes from the outside. Always assume the user is some jerk trying to break your app. Most of them won't be, of course, but there will eventually be one who is. Just because you gave the browser a <select> containing a, b, and c doesn't mean you'll get one of those back. Javascript isn't a guarantee of anything. Referers can be easily faked. POST data can be easily faked. Textboxes can contain any character, not just the ones you expect.
• Don't copy-paste others' code into production if you aren't sure how it works. You have no idea how much of an eye the author has for security. In my experience, PHP copypasta in particular seems to be less reliable but more frequently blindly reused.
• Don't trust yourself to perform the same ritual in dozens of different places. Yes, mysql_real_escape_string() will fix SQL injection, but then you have to remember to use it everywhere. This creates a lot of places where you might make a mistake and forget your escaping ritual. Use prepared statements instead, and the problem vanishes entirely. Another example: Pylons (a Python framework) rigs its templates so any variable is HTML-escaped unless you explicitly ask otherwise. XSS is no longer a problem, and I never have to worry about manually escaping everything I print.

Answer 5

If you have some time, you could take a look at the slides used by Stefan Esser during his conference at the Dutch PHP Conference a few months ago, which title was "PHP Security Crash Course for beginners".

There are a couple of PDF :

• Part I - Introduction
• Part II - XSS
• Part III -CSRF
• Part IV - SQL Security
• Part V - Session Management Security
• Part VI + VII - PHP Code Inclusion and PHP Code Evaluation

Those could be helpful.

Then, don't hesitate to search a bit for non-PHP-specific informations : some security problems (like XSS, SQL Injections, CSRF, ...) are not specific to PHP : only the technical means to avoid them are specific ; so, you could find plenty of informations on sites like Wikipedia, or the OWASP website