PHP Safe Scripting

Orka_Ping

Do tell if you know any source of information on security issues regarding php scripting (and MySQL), or guidelines for safe scripting. I am quite new to this, no in depth advanced advice necessary - I just hope to avoid the dumbest errors.
It would be nice if you could mention some typical newbie errors too, if you got some.

apart from that, being a newbie is just wonderful - all is nice and dandy, thank you.

edwardsbc

There is really only one rule:

"NEVER EVER TRUST ANY DATA COMING FROM THE CLIENT"

This means:

1) Never blindly insert user input into your database, especially if you are going to display it later. Evil users like to do nasty things with < script > or PHP tags.

2) Always do bounds checking.

3) Always make sure the user is authized to do the action the page is taking. Don't assume the user reached that delete record page legitimately, verify that they are authorized to take this action on this record or record set.

4) Don't let users upload PHP (or other http "executable [perl, cgi]) files into the web tree. Always limit the size of uploads.

I'm sure there are a million more, but I'll let someone else chime in.

alanzhao

I think a maintenance script after all which validates the data according to you own data criteria may help to prevent data invalidation and redundancy.

Of course, some validation works definitely needed ahead.