How to Write Secure PHP Code

Learn about resources that can help you write better code and help you audit third-party code for potential problems.

ITPro Today

March 13, 2007

2 Min Read
ITPro Today logo

Last week, I wrote about a few things you need to know about securing your PHP installations. I also pointed to several sites that offer good information about what to look out for and what configuration changes you might need to make. If you missed that article, you can read it on our Web site at the URL below.

http://www.windowsitpro.com/Article/ArticleID/95404

If you have PHP installed, then obviously you're going to run PHP code. Some of that code might be written by third-party developers and some of it you might write yourself. Either way, you should learn about secure coding practices for PHP. Doing so can help you write better code and help you audit third-party code for potential problems.

As an example of why the latter is important, be sure to read my blog article "Gaping Hole in Wordpress" (you can link to it from the GIVE AND TAKE section of this newsletter below) to learn about how someone slipped some "back doors" into Wordpress, which is a hugely popular PHP-based blogging platform. You can write simple scripts that audit third-party code to look for potential back doors by scanning the code for any or all of the dangerous functions I discussed last week.

To help you write your own secure PHP code, I went looking for resources and found several decent Web sites that provide writing aid and some tools that look for coding vulnerabilities. The sites at the URLs below are a big help, so take some time to study them carefully. If you know of any others, send me a message with a URL and I'll share it here in the newsletter for everyone's benefit.

Secure Programming in PHP

http://www.cgisecurity.com/lib/php-secure-coding.html

PHP - Secure coding

http://www.linuxformat.co.uk/wiki/index.php/PHP_-_Secure_coding

Secure Programming for Linux and Unix HOWTO, Chapter 10, Language-Specific Issues, 10.8 PHP (this pertains to Windows also)

http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html

PHP Security Consortium's PHP Security Guide

http://phpsec.org/projects/guide/

PHP Input Filter (Developer Shed's Network, PHP Scripts)

http://www.scripts.com/php-scripts/security-scripts/php-input-filter/

SecurePHP Wiki

http://www.securephpwiki.com/index.php/Main_Page

PHP Top 5 (security problems extracted from SANS Top 20 list)

http://www.owasp.org/index.php/PHP_Top_5

Top 10 ways to crash PHP

http://ilia.ws/archives/5_Top_10_ways_to_crash_PHP.html

Chorizo! Web Application Security Scanner

http://chorizo-scanner.com/

PHP Security Scanner

http://securityscanner.lostfiles.de/

About the Author(s)

ITPro Today

ITPro Today

See more from ITPro Today
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
Newsletter Sign-Up

You May Also Like

Editor's Choice

cybersecurity operator or hacker works with data in dark room
IT Security
Master AI Cybersecurity: Protect and Enhance Your NetworkMaster AI Cybersecurity: Protect and Enhance Your Network
byBrien Posey
May 21, 2024
5 Min Read
business person stamping a document
IT Operations
How to Get Executive Buy-In for IT ProjectsHow to Get Executive Buy-In for IT Projects
byChristopher Tozzi
May 28, 2024
6 Min Read
yellow block stuck in between blue cog wheels
PowerShell
Using ChatGPT as a PowerShell Debugging ToolUsing ChatGPT as a PowerShell Debugging Tool
byBrien Posey
Jun 4, 2024
4 Min Read