Writing Secure PHP scripts/apps. Questions

[Psychomantum]

I am fairly new to writing web applications with PHP. I know most of the basics, but I have some security questions.

I was wondering if anyone knows any tips to help make my PHP scripts more secure.

I write all my scripts assuming REGISTER GLOBALS is OFF. I have already been schooled on this issue. I also write database connections in a seperate file that is included in any page requiring a database connection.

Beyond that, I have no idea what it takes to make PHP more secure.

I am specifically looking for any practices that would prevent me from writing code that a malicious or curious user might use to access restricted areas of a web site.

Any ideas?

[MicroBurn]

chsh wrote a nice tutorial on this here. It might be a bit old, but it should still help greatly. You might want to talk to xmaddness as well. He's helped me out quite abit.

Peace, and good luck on you PHP adventure! :-D

MB

[Syini666]

A critical point is to check all user input for the presence of malicious code. In this case strip_tags() is your friend, as you can remove all html, or just some of it while leaving a specified set of tags like <b><i><u> for formatting of text. Here is a good article on writing secure PHP.

http://www.zend.com/zend/art/art-oertli.php

One of the best ways to learn I've found is by experience, so once you get your code working like you want, take a break, but come back and play with it from an outside persons view, or if you find that difficult, have a friend toy with it to see if they can find any loopholes.

[Psychomantum]

From the link you gave:

Secure PHP Programming for PHP beginners.

It's almost too easy....

Thanks

[xicepik]

You also want to read about SQL injections :
http://www.nextgenss.com/papers/adva..._injection.pdf
http://www.spidynamics.com/papers/SQ...WhitePaper.pdf

Have fun