tags:

views:

245

answers:

8
+8  Q: 

Which are the common security issues that the beginners make in php?

Yes, I'm a beginner.

I wonder to know which are the main problems of security on a web site under PHP framework.
Can someone give some link and/or some issue list?

I would be very grateful, because I write php by some month but I have no idea about that!

+4  A: 

general links :

sql injection

cross site scripting

php :

http://www.jemjabella.co.uk/blog/php-security-checklist

http://codingforums.com/showpost.php?p=864170&postcount=11

Haim Evgi  2010-01-17 14:17:01
CuriousCoder  2010-01-17 14:37:03
thanks for the list, I'll try to fix all I can!
Vittorio Vittori  2010-01-21 08:29:56
your welcome , good luck
Haim Evgi  2010-01-21 08:31:25
+3  A: 

-access rights to the server
-setting up upload folder outside of your web page.
-input validations ( cross side script attacks and sql injection )
-appropriate error catching

Take a look at this article also PHP Security Mistakes

Bahadir Cambel  2010-01-17 14:19:35
+1 for setting up the upload folder outside the web page root. There's always a possibility that It'll be hacked, and trust me, you don't want to find something called "Php control panel" in your images folder.
Daniel S  2010-01-17 14:40:45
+1  A: 

Write a program locally with magic quotes on, and then deploy it on a server with magic quotes off.

http://php.net/manual/en/security.magicquotes.php

Andreas Bonini  2010-01-17 14:21:57
Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed. Looks like a great script
Bahadir Cambel  2010-01-17 14:28:22
A: 

The most dangerous is probably eval()ing something that comes from user input, like eval($_GET['command']), but that's pretty rare.

After that, SQL injection, XSS, and information leakage through improper error reporting/displaying. Also, take a look at the default Options directive, if your web server is Apache, because it may also leak filenames, when it cannot find an index file in a directory.

WishCow  2010-01-17 14:27:17
A: 

I would also add omiting to escape correctly output string using htmlentites or htmlspecialchars (which could lead to XSS (Cross Site Scripting))

MaxiWheat  2010-01-17 14:27:42
A: 

The biggest mistake is to use PHP in the first place.

It's a language badly slapped together by people who have little idea of language design. It started out as a limited-purpose rinky-dink project and grew without a plan. It is full of "features" designed to make everything easy, and this results in the extremely easy creation of security holes.

PHP is a language by dummies for dummies. It's a major contributor to security problems on the Internet. For example, see http://www.securityfocus.com/news/11430 .

Downvote if you disagree, this is my (admittedly controversial) opinion and I don't mind.

Carl Smotricz  2010-01-17 14:32:26
do you mean languages like asp.net is more secure than it? I don't know other main alternatives, but I see this tecnology is used by the most bigger web communities and companies on the web, like last.fm, flickr, google, etc... are you sure about the security weakness?
Vittorio Vittori  2010-01-17 14:37:48
Apparently PHP accounted for 43% of all security problems found in a study in 2006. That's a pretty impressive number for just one language. Source: http://www.securityfocus.com/news/11430
Carl Smotricz  2010-01-17 14:41:13
And yes, asp.net has fewer of those "dynamic interpretation" features. But I admit there's also some bias because asp.net is mostly used by "pros" (you have to pay people to work with it) and PHP mostly by amateurs. Among the big players, Java is probably safest overall. The language itself offers few loopholes, the remaining problem is SQL injection - not the language's fault.
Carl Smotricz  2010-01-17 14:44:15
I think the fact PHP accounted for 43% of all security problems in 2006, is more caused by the people who mis-use PHP, than by the language itself. PHP is relatively easy to learn, which means a lot of newbies/dummies use it, and as they are newbies, sometimes mis-use it. That said, a good, more experienced, programmer can write just as good and secure code using PHP as any other language. So I wouldn't say PHP is bad per se, but a relatively big portion of its users is.
Douwe Maan  2010-01-17 15:30:13
I agree with you in part. But a language can help a programmer code safely and sanely, accentuating solid design and highlighting dangerous practices. PHP simply cannot be said to go out of its way to do that.
Carl Smotricz  2010-01-17 15:41:24
Could you give me an example how PHP does not "help a programmer code safely and sanely, accentuate solid design and highlight dangerous practices"?(Just out of interest)
Douwe Maan  2010-01-17 15:47:27
I've downvoted your answer not because I disagree, but because it offers so little value. You could have included some examples, links or _anything_ that supports your claim.
Georg  2010-01-17 15:49:42
Java has a SecurityManager that allows you to selectively activate/deactivate specific capabilities regarding file system, communications, etc. You turn off stuff you don't need so even in the worst case your program can only do limited damage. PHP does nothing comparable. Java's library provides lots of classes to support MVC, bound properties, abstract classes, interfaces and so on (off the top of my head in no particular order). PHP barely manages to give you modules.
Carl Smotricz  2010-01-17 15:53:35
@Georg: I learned PHP about 8 years ago to write one program; I was appalled and never looked at it again. Thus I'm a little hard put to contribute lots of detail. In the intervening time I did notice, however, that PHP sites figure prominently in security advisories.
Carl Smotricz  2010-01-17 15:58:28
I down-voted because first of all it doesn't offer any value to the question. Secondly, PHP is a tool, the programmer using this tool is responsible for any mess he creates.
ninuhadida  2010-03-16 11:37:09
I'm happy to see my contribution to this topic is still being noticed.
Carl Smotricz  2010-03-16 15:43:29
it depends on programmer
JKS  2010-05-19 05:56:10
A: 

This guide covers many of the security holes you typically find in beginners code, http://phpsec.org/projects/guide/

TheMagician  2010-01-17 15:23:03
A: 

sql injections,when the user input is not sanitized,

addslashes()

and

stripslashes()

can sloved the problem.....

appusajeev  2010-01-17 15:41:45
That's _not_ how one sanitizes data for using with a database. There are specific functions for the common databases. In standard SQL escaping a ' is using two '', there are no slashes. The best way is to use parameterized queries.
Georg  2010-01-17 16:15:12

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases