php application security test?

dugawug

hello,
i just got done coding my first PHP app for a non-profit i'm affiliated with. anyhow, it's connected to a MySQL database and my main concern right now is somehow checking the app for security flaws. is there another app that i can download that can check my app?
thanks

michaelkenneth

For one...keep backups. 2nd...there really isn't a way to check your source code for security...as source code can vary A LOT.

Maybe someone knows of a php security checklist?

drew010

aside from a few of the common php xss coding flaws reguarding the query string and includes, there are not many general ways a script can be exploited. most cases would be different depending on source code.

n-stealth (http://www.nstalker.com/nstealth) has a server-side language security test, which includes some php checks.

dugawug

thanks guys,
yes, it is my belief too that a script isn't generally that vulnerable. this is a fairly simple app and i wrote it simply and cleanly. don't know if this makes it more or less "hackable".

also, our database doesn't hold any crucial info (like c.c. info) so i'm doubting any one's reason for intrusion.

so couldn't it be said that, generally speaking, a simple PHP/MySQL app is fairly secure on it's own?

anyhow, i'll check the nstealth thing. any more ideas of things like this are appreciated!

Weedpacket

Originally posted by michaelkenneth
Maybe someone knows of a php security checklist?

Yes; and the checklist has been mentioned on these forums several times (a search for "security" might well have turned it up).

http://www.owasp.org/documentation/topten

dugawug

well, my friend in our NPO just asked me a question i want to pass along:

"what is it exactly about a PHP/MySQL application that makes it so inherently secure?"

Weedpacket

Easy answer: it's not.

drawmack

PHP/MySQL are not inherently insecure.

However PHP and MySQL are free so many people who are just learning to code can get a copy and begin writting web sites with them. So you have a lot of insecure web apps written with PHP/MySQL however it is not the technologies fault, but rather the implementors fault.

Think of it this way, when a security flaw in windows is exploited we all know it is the operating system's fault and no one runs around yelling about the security flaws of c++. It's the same with web-sites written with PHP/MySQL, it's not the language's fault it's the programmers.

dugawug

thanks a lot everyone.
i guess it's just a matter of writing solid code and keeping the known security flaws (listed above) in mind that mostly keeps an app/database secure?

this is getting a little off subject, but what about that hacker trick to append SQL to a web browser URL? how can that be stopped?