Lists all of the journal entries for the day.

Mon, 14 Aug 2006

8:47 AM - PHP Security

Here's an interesting post from slashdot outlining php security.

As short summary, what every (PHP) developer should do is:

    * limit the session to the IP-address of the visiting user.
    * use htmlentities() [] on all outputted HTML
    * secure file uploads to avoid uploading PHP code

And most important (but not relevant for TFA):

    * use mysql_real_escape_string() [] on all database input, or better: the variable binding feature of PEAR::DB
    * disable register_globals, use $_GET, $_POST and $_COOKIE instead.
    * Use preg_replace( '/[^a-zA-Z0-9-_]', '', $input ) on all input used in file names.
      Things like require_once("files/" + $input + ".html") actually read php files when it's called as ?input=file.php%00