Resources for Writing Secure PHP Code

If you have PHP installed, then obviously you’re going to run PHP code. Some of that code might be written by third-party developers and some of it you might write yourself. Either way, you should learn about secure coding practices for PHP. Doing so can help you write better code and help you audit third-party code for potential problems.

To help you write your own secure PHP code, I went looking for resources and found several decent Web sites that provide writing support and some tools that look for coding vulnerabilities. The sites at the URLs below are a big help, so take some time to study them carefully.

Secure Programming in PHP http://www.cgisecurity.com/lib/php-secure-coding.html

PHP—Secure coding http://www.linuxformat.co.uk/wiki/index.php/PHP_-_Secure_coding

Secure Programming for Linux and Unix HOWTO, Chapter 10, Language-Specific Issues, 10.8 PHP (this pertains to Windows also) http://www.dwheeler.com/secure-programs/Secure-Programs-HOWTO/php.html

PHP Security Consortium’s PHP Security Guide http://phpsec.org/projects/guide/

PHP Input Filter (Developer Shed’s Network, PHP Scripts) http://www.scripts.com/php-scripts/security-scripts/php-input-filter/

SecurePHP Wiki http://www.securephpwiki.com/index.php/Main_Page

PHP Top 5 (security problems extracted from SANS Top 20 list) http://www.owasp.org/index.php/PHP_Top_5

Top 10 ways to crash PHP http://ilia.ws/archives/5_Top_10_ways_to_crash_PHP.html

Chorizo! Web Application Security Scanner http://chorizo-scanner.com/

PHP Security Scanner http://securityscanner.lostfiles.de/