|
|
| (97 intermediate revisions by 17 users not shown) |
| Line 1: |
Line 1: |
| − | = DRAFT CHEAT SHEET - WORK IN PROGRESS = | + | __NOTOC__ |
| − | = Introduction =
| + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| | | | |
| − | This article is focused on providing PHP-specific guidance to securing web applications.
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | == Don't use $_REQUEST - use $_GET or $_POST or $_SERVER instead ==
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet. |
| − | == Use PDO with prepared statements or an ORM like Doctrine ==
| + | |
| − | == Use a framework like Zend or Symfony - Stop re-writing the same code again and again ==
| + | {{taggedDocument |
| − | == For Input validation use $_dirty['foo'] = $_GET['foo'] and then $foo = validate_foo($dirty['foo']); ==
| + | | type=delete |
| − | 5. Output encoding is entirely up to you. Just do it, ESAPI for PHP is ready for this job.
| + | | comment=Tagged for deletion |
| − | 6. Not every PHP installation has a working mhash extension, so if you need to do hashing, check it before using it. Otherwise you can't do SHA-256
| + | }} |
| − | 7. Not every PHP installation has a working mcrypt extension, and without it you can't do AES. Do check if you need it
| |
| − | 8. Code with most of your code outside of the webroot. This is automatic for Symfony and Zend. Stick to these frameworks
| |
| − | 9. Use PHP 5.3.8. Anything less is unsafe
| |
| − | 10. There is no authentication or authorization classes in native PHP. Use ZF or Symfony instead
| |
| − | 11. When developing PHP code, make sure you develop with PHP Unit and Jenkins - see http://qualityassuranceinphpprojects.com/pages/tools.html for more details.
| |
| − | 12. Consider using Stefan Esser's Hardened PHP patch - http://www.hardened-php.net/suhosin/index.html (not maintained now, but the concepts are very poweful)
| |
| − | 13. In terms of secure coding with PHP, do not use globals unless absolutely necessary - check your php.ini to ensure register_globals is off Do not run at all with this setting enabled It's extremely dangerous (register_globals has been disabled since 5.0 / 2006, but .... most PHP 4 code needs it, so many hosters have it turned on)
| |
| − | THOUSANDS OF WEBSITES
| |
| − | 14. Ensure allow_url_fopen and allow_url_include are both disabled to protect against RFI. But don't cause issues by using the pattern include $user_supplied_data or require "base" + $user_supplied_data - it's just unsafe as you can input /etc/passwd and PHP will try to include it
| |
| − | 15. Eval() is evil() - It basically allows arbitrary PHP code execution, so do not evaluate user supplied input. and if you're not doing that, you can just use PHP directly. eval() is at least 10-100 times slower than native PHP
| |
| − | 16. Watch for executable regexes (!)
| |
| − | 17. Session rotation is very easy - just after authentication, plonk in session_regenerate_id() and you're done.
| |
| − | 18. Set display_errors to 0, and set up logging to go to a file you control, or at least syslog. This is the most commonly neglected area of PHP configuration
| |
| − | 19. Esoteric but important. Be aware of PHP filters - these are transparent to you and you need to know about them. php://input: takes input from the console gzip: takes compressed input and might bypass input validation http://au2.php.net/manual/en/filters.php
| |
