Secure Php Programming
SQL Injection
Quick solutions:
- Use appropriate field types
- use a security class for user input import
- Be careful when you use a string out of the database for comparison
only quoting all user input is not enough
Direct call of included file
Quick solutions: There are many solutions.
I prefer this: put the code in the included file in a function and call it from the main file.
Output of unchecked user input, XSS (Cross-Site-Scripting)
Quick solutions: Use htmlentities() on all user input before output of user vars (except if the output goes into a textarea)
The name of an included file does not end with .php
Quick solutions: Always give your included files a name which ends with .php
Unchecked extension on an uploaded file
Quick solutions: Never let users upload any files. Make sure that they can only upload files with extensions they need.
Access Rights
Quick solutions: Access rights for
- directories: 710 (or 711 if needed)
- upload directories: 770 (or 777 if needed)
- files: 640 (or 644 if needed)
- user manegable files: 660 (or 666 if needed)
Always set the rights as restricive as possible
Login data (username and password) is saved in cookies
Quick solutions: Never save username and password in a cookie.
Always use a session id in the cookie and store username and password as a session variable.
Error messages reveal starting point for an attack
Quick solutions: Set error_reporting(0) or provide your own error handler.
A misconfigured server gives away information about your project’s file organization
Quick solutions: Put a dummy index.html and index.php in every directory
Login form uses GET method
Quick solutions: Always submit a username and password with the POST method.
The file name for a file is constructed from user input and executed (Remote File Inclusion)
Quick solution: Only include predefined files
StumbleIt! 
June 13, 2009
Hi, my name is Jeff and I am a cheap web designer based in Miami. Having worked in the field for the last 10 years, I am very experienced with the process of web development and web design. During the course of my career, I have found it convenient to work with USA based designers largely because of the lack of time difference and also speedy communication. We believe our website is worth visiting so that you can see for yourself the quality work we have performed for all of our customers. For those of you with existing websites, we certainly can help you improve the format of those sites as well. One of our chief objectives is ensuring that websites developed by our team are both user friendly and consistent with great search engines like Google and Yahoo.
http://www.bestwebsitesdesigner.com
--Reply