After seeing this awesome guide on Stack and needing a practical PHP/MySQL
security checklist in-house, I have decided to pay homage to the original guide.
What I need is a practical security checklist for PHP
and MySQL
. The contents here can function as the checklist, while the answers should function as the guides.
By practical I mean that each answer should avoid superfluous security theoretics and focus on real results. Most of us don't need to know about RFC3174
when you're suggesting to secure passwords using a SHA-1
hash. We just want to make passwords secure.
I will go through the entries from time to time and tidy them up so they have a consistent look and feel and it's easy to scan the list. Feel free to follow a simple "header - brief explanation - list of instructions - gotchas and extra info" template. I'll also link to the entries from the bullet list below so it's easy to find them later.
Procedural note: PLEASE pick one and only one of the below topics and answer it clearly and concisely. Don't try to jam a bunch of information into one answer. Don't just link to other resources - cut and paste with attribution if copyright allows, otherwise learn it and explain it in your own words (that is, don't make people leave this page to learn a task). Please comment on, or edit, an already existing answer unless your explanation is very different and you think the community is better served with a different explanation.
PHP
Validate user input
Guard your file system
Guard your sessions
Guard against XSS vulnerabilities
Guard against invalid POST
s
Guard against CRSF
Stop using $_REQUEST
Stop using register_globals
MySQL
Avoid SQL injection
Use mysql_real_escape_string
to protect against SQL
injection
Keep in mind that the above list is only a starter, and that many of the above topics will likely become sub-headers and are too broad to write on. Try to distill something smaller like "Stop using register_globals
" rather than, say, trying to write an answer on XSS as a whole. Over time I hope everyone can add many more things.