|
|
| (93 intermediate revisions by 17 users not shown) |
| Line 1: |
Line 1: |
| − | = DRAFT CHEAT SHEET - WORK IN PROGRESS =
| + | __NOTOC__ |
| − | = Introduction = | + | <div style="width:100%;height:160px;border:0,margin:0;overflow: hidden;">[[File:Cheatsheets-header.jpg|link=]]</div> |
| − | This article is focused on providing PHP-specific guidance to securing web applications.
| |
| | | | |
| − | = PHP General Guidelines for Secure Web Applications =
| + | The Cheat Sheet Series project has been moved to [https://github.com/OWASP/CheatSheetSeries GitHub]! |
| | | | |
| − | == PHP Version ==
| + | Please visit [https://cheatsheetseries.owasp.org/cheatsheets/PHP_Configuration_Cheat_Sheet.html PHP Configuration Cheat Sheet] to see the latest version of the cheat sheet. |
| − | Use '''PHP 5.3.8'''. Stable versions are always safer then the beta ones.
| |
| | | | |
| − | == Framework==
| + | {{taggedDocument |
| − | Use a framework like '''Zend''' or '''Symfony'''. Try not to re-write the code again and again. Also avoid dead codes.
| + | | type=delete |
| − | | + | | comment=Tagged for deletion |
| − | == Directory==
| + | }} |
| − | Code with most of your code outside of the webroot. This is automatic for Symfony and Zend. Stick to these frameworks.
| |
| − | | |
| − | == Hashing Extension ==
| |
| − | Not every PHP installation has a working '''mhash''' extension, so if you need to do hashing, check it before using it. Otherwise you can't do SHA-256
| |
| − | | |
| − | == Cryptographic Extension ==
| |
| − | Not every PHP installation has a working '''mcrypt''' extension, and without it you can't do AES. Do check if you need it.
| |
| − | | |
| − | == Authentication and Authorization ==
| |
| − | There is no authentication or authorization classes in native PHP. Use '''ZF''' or '''Symfony''' instead.
| |
| − | | |
| − | == Input nput validation ==
| |
| − | Use $_dirty['foo'] = $_GET['foo'] and then $foo = validate_foo($dirty['foo']);
| |
| − | | |
| − | == Use PDO or ORM == | |
| − | Use PDO with prepared statements or an ORM like Doctrine
| |
| − | | |
| − | == Use PHP Unit and Jenkins ==
| |
| − | When developing PHP code, make sure you develop with PHP Unit and Jenkins - see http://qualityassuranceinphpprojects.com/pages/tools.html for more details.
| |
| − | | |
| − | == Use Stefan Esser's Hardened PHP Patch ==
| |
| − | Consider using Stefan Esser's Hardened PHP patch - http://www.hardened-php.net/suhosin/index.html
| |
| − | (not maintained now, but the concepts are very powerful)
| |
| − | | |
| − | == Avoid Global Variables==
| |
| − | In terms of secure coding with PHP, do not use globals unless absolutely necessary
| |
| − | Check your php.ini to ensure register_globals is off Do not run at all with this setting enabled It's extremely dangerous (register_globals has been disabled since 5.0 / 2006, but .... most PHP 4 code needs it, so many hosters have it turned on)
| |
| − | | |
| − | == Avoid Eval() ==
| |
| − | It basically allows arbitrary PHP code execution, so do not evaluate user supplied input. and if you're not doing that, you can just use PHP directly. eval() is at least 10-100 times slower than native PHP
| |
| − | | |
| − | == Don't use $_REQUEST ==
| |
| − | Instead of $_REQUEST- use $_GET or $_POST or $_SERVER
| |
| − | | |
| − | == Protection against RFI==
| |
| − | Ensure allow_url_fopen and allow_url_include are both disabled to protect against RFI But don't cause issues by using the pattern include $user_supplied_data or require "base" + $user_supplied_data - it's just unsafe as you can input /etc/passwd and PHP will try to include it
| |
| − | | |
| − | == Regexes (!)==
| |
| − | Watch for executable regexes (!)
| |
| − | | |
| − | == Session Rotation ==
| |
| − | Session rotation is very easy - just after authentication, plonk in session_regenerate_id() and you're done.
| |
| − | | |
| − | == Be aware of PHP filters ==
| |
| − | PHP filters can be tricky and complex. Be extra-conscious when using them.
| |
| − | | |
| − | == Logging ==
| |
| − | Set display_errors to 0, and set up logging to go to a file you control, or at least syslog. This is the most commonly neglected area of PHP configuration
| |
| − | | |
| − | == Output encoding ==
| |
| − | Output encoding is entirely up to you. Just do it, ESAPI for PHP is ready for this job.
| |
| − | | |
| − | These are transparent to you and you need to know about them. php://input: takes input from the console gzip: takes compressed input and might bypass input validation http://au2.php.net/manual/en/filters.php
| |
| − | | |
| − | = Related Cheat Sheets =
| |
| − | | |
| − | {{Cheatsheet_Navigation}}
| |
| − | | |
| − | = Authors and Primary Editors =
| |
| − | | |
| − | Andrew van der Stock
| |
| − | | |
| − | [[Category:How_To]] [[Category:Cheatsheets]]
| |
