PHP Security Cheat Sheet - Revision history

Dominique RIGHETTO: Point to the official site

2019-07-15T14:38:38Z

Point to the official site

Dominique RIGHETTO: Migration to GitHub

2019-02-20T13:17:39Z

Migration to GitHub

Jmanico: Replaced content with "{{taggedDocument | type=delete | comment=Tagged for deletion }}"

2018-08-17T21:18:02Z

Replaced content with "{{taggedDocument | type=delete | comment=Tagged for deletion }}"

Show changes

Dominique RIGHETTO: Add marker for the book

2018-05-26T08:11:14Z

Add marker for the book

Jmanico at 23:06, 10 August 2016

2016-08-10T23:06:17Z

Sarciszewski: /* Remember Me */

2016-04-06T19:18:48Z

‎Remember Me

Sarciszewski: /* Remember Me */

2016-04-06T19:18:18Z

‎Remember Me

Mwillbanks: Fix issue with UTF-8 under MySQL where it was assigning the wrong charset which would be ignored, "UTF-8" is invalid for MySQL whereas "utf8" is the proper format.

2016-03-29T13:24:06Z

Fix issue with UTF-8 under MySQL where it was assigning the wrong charset which would be ignored, "UTF-8" is invalid for MySQL whereas "utf8" is the proper format.

Luke Plant: removed outdated message about PHP versions

2015-06-19T09:19:56Z

removed outdated message about PHP versions

Luke Plant: /* URL routing */

2015-06-19T09:14:50Z

‎URL routing

@@ Line 4: / Line 4: @@
 The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]!
-Please visit [https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/PHP_Configuration_Cheat_Sheet.md PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet.
+Please visit [https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet.
 {{taggedDocument

← Older revision		Revision as of 08:11, 26 May 2018
Line 1:		Line 1:
−	= DRAFT ~~CHEATSHEET~~ - THIS IS STILL A WORK IN PROGRESS OR OUT OF DATE =	+	= DRAFT CHEAT SHEET - THIS IS STILL A WORK IN PROGRESS OR OUT OF DATE =

	= Introduction =		= Introduction =

← Older revision		Revision as of 23:06, 10 August 2016
Line 1:		Line 1:
		+	= DRAFT CHEATSHEET - THIS IS STILL A WORK IN PROGRESS OR OUT OF DATE =
		+
	= Introduction =		= Introduction =
	This page intends to provide basic PHP security tips for developers and administrators. Keep in mind that tips mentioned in this page may not be sufficient for securing your web application.		This page intends to provide basic PHP security tips for developers and administrators. Keep in mind that tips mentioned in this page may not be sufficient for securing your web application.

@@ Line 410: / Line 410: @@
 To avoid side-channels, consider adopting [https://paragonie.com/blog/2015/04/secure-authentication-php-with-long-term-persistence#title.2.1 this strategy for "remember me" tokens]:
 . Generate two tokens: A '''selector''' and a '''verifier''', using a [https://secure.php.net/manual/en/book.csprng.php CSPRNG].
 . Store '''selector''' and a SHA-384 hash of '''verifier''' in the database.
 . Store '''selector''' and '''verifier''' together in a cookie (say: '''rememberme''').
 When a user visits your website and they aren't authenticated, but they do have a rememberme cookie, initiate this process:
 . Split the cookie into the '''selector''' and '''verifier''' compnents.
 . Do a database lookup with the '''selector'''.
 . If a row is found, grab that record.
 . Compare the SHA-384 of the user-provided '''verifier''' with the value stored in the database, using [https://secure.php.net/hash_equals hash_equals()].
 . If they match, automatically authenticate the user.
 =Configuration and Deployment Cheat Sheet=

@@ Line 401: / Line 401: @@
 ===Remember Me===
-It is better if you imply locking and prevent brute-force on remember me tokens, and make them long enough, otherwise an attacker could brute-force remember me tokens until he gets access to a logged in user without credentials.
+Many websites implement vulnerable "remember me" features. Often, these vulnerabilities are trivially exploitable (e.g. storing '''userid=13''' or '''username=paul&password=abcdefg''').
-* '''Never store username/password or any relevant information in the cookie.'''
+* '''Rule 1: Never store username/password or any relevant information in the cookie.'''
 =Configuration and Deployment Cheat Sheet=

@@ Line 1: / Line 1: @@
 {{taggedDocument
 | type=delete
 | comment=Tagged for deletion
 }}

@@ Line 212: / Line 212: @@
      if (mysqli_connect_errno())
          trigger_error("Unable to connect to MySQLi database.");
-     $DB->set_charset('UTF-8');
+     $DB->set_charset('utf8');

@@ Line 124: / Line 124: @@
 of what ought to be done (see above), and leads to progressively worse code.
-==Update PHP Now==
+==Update PHP regularly==
-Also keep in mind that you should regularly upgrade your PHP distribution on an operational server. Every day new flaws are discovered and announced in PHP and attackers use these new flaws on random servers frequently.
+Keep in mind that you should regularly upgrade your PHP distribution on an operational server. Every day new flaws are discovered and announced in PHP and attackers use these new flaws on random servers frequently.
 =Configuration=

@@ Line 70: / Line 70: @@
 PHP’s built-in URL routing mechanism is to use files ending in “.php” in the directory structure. This opens up several vulnerabilities:
-* Remote execution vulnerability for every file upload feature that does not sanitise the filename. Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
+* Remote execution vulnerability for every file upload feature that does not sanitise the filename. (In other words, the web server executes something instead of serving it). Ensure that when saving uploaded files, the content and filename are appropriately sanitised.
-* Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static  assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. You can use <code>.htaccess</code> to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
+* Source code, including config files, are stored in publicly accessible directories along with files that are meant to be downloaded (such as static  assets). Misconfiguration (or lack of configuration) can mean that source code or config files that contain secret information can be downloaded by attackers. (In other words, the web server serves a resource which should have been private or executable only). You can use <code>.htaccess</code> to limit access. This is not ideal, because it is insecure by default, but there is no other alternative.
-* The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than simply function definitions.
+* The URL routing mechanism is the same as the module system. This means it is often possible for attackers to use files as entry points which were not designed as such. This can open up vulnerabilities where authentication mechanisms are bypassed entirely - a simple refactoring that pulls code out into a separate file can open a vulnerability. This is made particularly easy in PHP because it has globally accessible request data ($_GET etc), so file-level code can be imperative code that operates on the request, rather than needing request handling code to be within function definitions.
-* The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate athorization restrictions on different request handling functionality.
+* The lack of a proper URL routing mechanism often leads to developers creating their own ad-hoc methods. These are often insecure and fail to apply appropriate authorization restrictions on different request handling functionality.
 ====Input handling====