Share your knowledge at the LQ Wiki.
Go Back > Forums > Linux Forums > Linux - General > LinuxAnswers Discussion
User Name
LinuxAnswers Discussion This forum is to discuss articles posted to LinuxAnswers.


  Search this Thread
Old 02-09-2010, 03:26 PM   #1
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399
Blog Entries: 71

Rep: Reputation: 65
PHP - basics of writing secure code

A new la entry has been added:

PHP - basics of writing secure code

PHP is a poweful language for developing web-sites. Many sites on the net using it as a core.

And, of course, any power can be used in both ways. When most beginner(and even not beginner already) programmers create websites with some input forms, they usually never think about security here.
Old 02-09-2010, 05:14 PM   #2
Senior Member
Registered: Dec 2008
Location: Louisville, OH
Distribution: Debian, CentOS, Slackware, RHEL, Gentoo
Posts: 1,833

Rep: Reputation: 167Reputation: 167
Really good article, I hope a lot of people read and follow it. The number one problem I see with php apps that get exploited is lack of sanitized inputs for databases (injection). The only thing that scares me more than unsanitized database inputs are unsanitized inputs used in system calls... someone killing the database or injecting things you don't want is bad news, someone wiping out or root kiting your server out is worse news.
1 members found this post helpful.
Old 02-11-2010, 05:53 AM   #3
Registered: Sep 2009
Location: Russia
Distribution: Gentoo, LFS
Posts: 399

Original Poster
Blog Entries: 71

Rep: Reputation: 65
Oh yes, shell commands injection is the worst. I forgot to add it.
I've seen much of those vulnerabilities, but it actually points more to PHP security itself(configuring PHP), rather than coding. Of course, it's the same rule again: don't trust user inputs. But here you gotta be more restrictive, in case you allow shell_exec(), etc, you shall not pass anything taken from user input to shell at all, until you know what are you doing.
I have it disabled everywhere and I suggest everyone do the same, disable all dangerous functions of PHP. If you need shell to act in your applications, use either standalone daemon or cron, that will verify and execute pending tasks from a shared file. Be sure to apply this rule "don't trust user inputs" everywhere.
Old 11-23-2010, 02:15 AM   #4
LQ Newbie
Registered: Nov 2010
Location: Nowhere
Distribution: Debian
Posts: 16

Rep: Reputation: 2
Really good article indeed.
For those that want to go even deeper into this subject, I suggest you get a look at OWASP ( Even though it is not specially for PHP, it gives good examples of what to do and what to avoid and an excellent framework for developing secure applications.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Code Craft: The Practice of Writing Excellent Code LXer Syndicated Linux News 0 01-09-2007 05:03 AM
LXer: Democratization, Writing and Writing Code LXer Syndicated Linux News 0 11-22-2006 06:03 AM
php code not writing or working? ati Programming 4 05-11-2006 08:51 AM
LXer: Cheat Knoppix 4 to Improve Performance: Part 1. Cheat Code Basics and the ALSA Cheat Code LXer Syndicated Linux News 0 01-10-2006 08:16 AM
Book about writing secure code Covel Linux - Security 1 06-12-2004 02:53 AM > Forums > Linux Forums > Linux - General > LinuxAnswers Discussion

All times are GMT -5. The time now is 02:05 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration