Professional Documents
Culture Documents
Phpsec Cheatsheet
Phpsec Cheatsheet
BASIC
FILEUPLOADS
Inclusionofyourwebsite
Acryptographicallysecure
MISCELLANEOUS
application/unknown,or plain/textunlessnecessary.
Datainsertedintothe
DATABASE
databaseisproperlyescaped orparameterized/prepared statementsareused. addslashes()isnotused. Applicationdoesnothave moreprivilegestothe databasethannecessary. Remoteconnectionstothe databasearedisabledifthey areunnecessary.
3RD-PARTIES
PRNGisusedforsecret randomly-generatedIDs (activationlinks,secretIDs, etc.). Suhosinisinstalledoryou arenotusingrand()or mt_rand()forthis. Anythingthatconsumesa lotofresourcesshouldbe throttledandlimited. Pagesthatuse3rd-party APIsarethrottled. Youdidnotcreateyourown encryptionalgorithm. Argumentstoexternal programs(i.e.exec())are validated. Genericinternalandexternal redirectpagesaresecured. Precautionstakenagainst thesourcecodeofyourPHP pagesbeingshowndueto misconfiguration. Configurationandcriticalfiles arenotinaweb-accessible directory.
SHAREDHOSTING
Usingasecuresharedhost
SERVINGFILES
inaway(i.e.JSON,JS-like) wheretheycanbeincluded andreadonaremotewebsite successfully. AwarethatFlashcanbypass referrercheckstoloadimages andsoundfiles. Thefollowingthingswillnot revealsignificantinformation ifincludedremotely: Images. Pagesthattakealonger timetoload.
whereuserscannotaccess thefilesofotherusers. Awarethatfellowshared hostingusers: Can,ifonthesameIP address,issuerequests againstyoursitewith XMLHttpRequestinIE6. Canaccessyourwebsite from127.0.0.1or::1. Canhostaserveronthe sameIPaddress. Arenotremoteasfaras yourDBisconcerned. Session&fileupload directoriesarenotshared.
SK Findtheannotatedoriginalathttp://sk89q.com/phpsec/ 2010sk89q.Youarefreetoreproducethiswithoutmodification.