Chris Cornutt (@enygma) asked on Twitter, “If you were just starting to learn about writing secure PHP apps, what would you want to know?” While I replied via Twitter, I figured I’d post my own short list here. I’d certainly consider this a beginner’s list, but it’s the kind of basic stuff I wish I had known.
- There’s nothing inherently secure about POST requests nor data retrieved from the $_POST superglobal. POST parameters are sent within the body of the message instead of the URL, which allows for longer key/value pairs than using a querystring, but it’s just as visible as any GET parameter.
- Anything transmitted to/from the server is inherently readable by anybody unless you specifically take precautions, such as transmitting via HTTPS.
- There’s no automatic/magic security or sanitization built in to most standard PHP functions nor frameworks. It’s often there, but you have to consciously use it.
- Just because it looks like an image, responds like an image, doesn’t mean it’s an image. (Or other type of included file.)
- 3rd party resources have access to anything on the page, regardless whether it’s visible, behind HTTPS, or obfuscated. Serving your site via SSL isn’t a magic bullet. Javscript can still access elements on the page and do nasty stuff (XSS), and you’re still vulnerable to CSRF attacks.
- Just because something is only “visible” server-side doesn’t mean it’s inherently secure. For example, any variable can be made global, and all the data within it can be read by any PHP script or method within that script. Case in point: the widely-used Akismet plugin for WordPress includes a dump of $_SERVER in each spam check it makes. This isn’t specifically a problem with Akismet, it’s just illustrating that code can be exposing stuff you didn’t think about, and may be exposing things you didn’t realize. You can do some really evil stuff.
- Just because you got a file from a reputable source, doesn’t mean it’s safe or good.
Some of those are web security but I didn’t know I needed to care when I started doing PHP and web development. I shudder to think of some of the code I wrote that’s still out there.
- WebSec library of articles (lots of great info, nicely presented and easy to follow)
- Deep dive into PHP security (easy, but long, read)
- Three security issues you thought you’d fixed (video)
- Developing Secure Widgets: Secure iFrame Communication in a Pre-postMessage World (video)
- Built-in PHP filtering
- MySQL bind params and WordPress: $wpdb->prepare()
- Validating Sanitizing and Escaping User Data (written for WordPress, but the ideas are valid regardless of platform)
Aside: One of the reasons I love WordPress is that it gives you all the tools to write secure code out-of-the-box. Other Frameworks like Zend and Symfony do, too, but they’re not as obivous.