Appendix C: Security Checklist

slicedmitesSecurity

Feb 16, 2014 (3 years and 8 months ago)

126 views


























Appendix C:
Security
Checklist

Given that online PHP applications are exposed essentially to
anyone and everyone, security should be on, if not at the top
of, your list of concerns as you develop your applications. To
some extent, the ease with which PHP applications can be
developed is

also one of the language’s greatest weaknesses: for
beginners who aren’ t aware of the possible dangers, it’s very
easy to deploy an application for which the line of security has
as many holes as Swiss cheese.

Make sure you’ re informed and, if in a
ny doubt, prepared to ask
questions. The Open Web Application Security Project (OWASP) is
a corporate
-
sponsored com- munity focused on raising the
awareness of web security, and is an excellent source of
information on potential dangers.

1


They OW
ASP recently updated its list of the top ten common
security flaws in web applications, the relevant points of which
I’ ve summarized here. The previous version from 2004 still
contains relevant inform­ ation and, while there’s some
duplication, it’s well
worth a read.

2


For a more detailed coverage of PHP security, you might like to
read
Essential PHP Security

by Chris Shiflett,

3


and
php|architect’s Guide to PHP Security

by Ilia Alshanetsky.

4


Top Security
Vulnerabilitie
s

This list comprises the most common


and dangerous


security
flaws found in web applications today.

Cross
-
site
Scripting (XSS)

Cross
-
site scripting attacks are the result of sending
unchecked, user
-
supplied data to a browser. The problem with
us
er
-
supplied data is that it’s completely outside of your
control, and it’s easy to fake values like the HTTP referrer and
the values in a hidden form field.

1


2


3


4


http://www.owasp.org/

http://www.owasp.org/index.p
hp/Top_10_2004

http://phpsecurity.org/

http://www.phparch.com/pgps/