RE: Anyone have some basic security tips for PHP-programmers?

["Keifer, Trey" <Trey.Keifer () fishnetsecurity com>]

PHP and MySQL are frequently tied together. If you are doing any work in this area I would suggest you
look into SQL injection techniques and safeguards. Other than that, the basics of input(sql injection)
and output(cross-site scripting) validation doesn't really change from language to language.
PHP.net's website should have some good information on regular expressions which are very helpful.

Earlier this year there *were* some PHP-specific vulnerabilities relating to the file upload
libraries, but they were mitigated in v4.2.0. I don't know of any other outstanding vulnerabilities.
The most likely method of attack is usually going to be a company's specific implementation. 

Trey Keifer
Security Engineer - Level II
Fishnet Security

Office: 816.421.6611
Cell: 816.710.6830
Toll Free: 888.732.9406
Fax: 816.421.3371

http://www.fishnetsecurity.com 

-----Original Message-----
From: Matthews, Chris [mailto:CMatthews () MAIL co washoe nv us]
Sent: Friday, November 14, 2003 10:33 AM
To: webappsec () securityfocus com
Subject: Anyone have some basic security tips for PHP-programmers?


Good Morning (at least here in Nevada)

I am a graphics guy by trade, who happens to have some proficiency with
code.

Since my PHP knowledge is pretty much self-taught, however, I am certain
that I'm probably doing some hack-prone stuff.

Anyone have any hints for good PHP practices  (Looking for kind of a "This
is one of the most common PHP security flaws" kind of thing)?

Chris Matthews
E-Government Information Officer
Community Relations, Washoe County
http://www.co.washoe.nv.us
775.328.3719