Ways to Keep Your PHP App from Getting Owned
Just spent the last three hours cleaning up a hacked site for a client. Not fun. People are still getting owned by script kiddies with vulnerability scanners. Here's my quick and dirty list for keeping PHP apps secure. Do these basic things, and you'll be ahead of of the pack. Stop trusting user input. If someone can type it, they can break it. Always escape and validate user data before using it queries or output. Stop dropping $_POST and $_GET variables directly into your SQL queries. Use prepared statements. JavaScript validation is nice for user experience, but it's trivial to bypass. Always validate on the server side. HTML inputs can be easily edited, even select boxes and hidden fields. Always validate them on the server. Don't trust the MIME type of uploaded files. It can be easily spoofed. Always validate the extension as well. Whitelist extensions, don't blacklist. i.e. Clearly define which extensions are allowed. Error messages are for you, not the world...