I've skimmed the web and the forums and I haven't really found what I'm looking for: general tips and tricks for securing a web site, PHP related or otherwise.
Here's what I've got:
I'm running a reasonably up to date Linux machine with Apache. (I try to keep up to date on patches and versions, but I'm not a rabid BuqTraq follower.) I have a site constructed almost completely dynamically with PHP and mySQL information. I've taken quite a few steps to secure the box against general intrusion, and I'm curious if I've missed anything big or simple. Here's what I've done so far:
Nothing related to the web site is running as root.
The only way into the box is via SSH. Telnetd is not even installed. (Quite a few unneeded tools are not installed.)
The machine is behind a firewall, only ports 22, 80, and 443 are open.
All of the directory and file permissions in my web root have been set properly.
There are access rules against accessing any include/library files directly.
User logins are done via PHP, the cookie data is encrypted against a secret word on the server, and logins are only preserved per session.
ALL user-entered data (including logging in) is protected via SSL, normal site viewing is not.
Here's what I have not done and why:
User entry fields are not completely sanity-checked against malicious characters, as only myself and a few friends have logins. We also need the ability to input HTML into the fields.
Apache, Apache-SSL, and mySQL are running on the same machine...I don't want to do that, but I'm short on boxes at the moment.
Is there anything I'm missing? This is hardly mission critical and it's really just a project site, but I really would like to protect against the obvious. Most of the data entered into this repository will take a great deal of time and I'd just as soon not have to re-enter from backups. (Not to mention I'd really like to get a job doing all of this one day, so I want to do it right.)
Thanks in advance for any advice.
