PHP Security Rules

PHP security rules

here’re some PHP security tips:

(1) HTTPS. No discussion, don’t assume anything if you haven’t got it.

(2) Userdata belongs on the server, and stays on the server. Users know their own password, emailadres, etc, and why transfer logged in status & rights to and from the user? THe only place where they’re needed is on the server itself…

(3) Using Cookies to keep track of logged in visitors is handy. They should have random, unguessable values, and absolutely nothing to with their actual information. Their just an random ID for you, the data that they represent you can link on the server.

(4) Do not keep users logged in. Session time out and cookies, if still present, become useless for anyone trying to use it later. Explain that to people who don’t want to remember passwords.

(5) Do not use the same ID purposefully twice (although it might occur, chances should be very slim). A user logs in, and gets a random id.

(6) THE golden rule: never, ever trust user input. If you expect a number, make sure it’s a number. If you expect only certain characters, make sure there are no other. If you cannot escape the fact that users have to enter an unknown text, use the escaping tools of characters at your disposal. Be very, very weary for SQL injection.

There are others, but these are the most important imho. There are others, like keep a log what users do from what location, but that’s usually only needed when is has gone wrong, and you have to track it back, never save a plain password, do not display errors in you code should it break for some reason, error-displaying is for development, etc