Security Issues - PHP & MySQL/PostgreSQL

Anon

Hi,

I want to create a quick list of security issues for php & mysql/postresql sites. There's a lot out there, but what's annoying is that it's spread out all over the place. So below is what I've found so far - if anyone has something to add, please reply to this post. This'll help me and I imagine anyone else out there thinking the same.

Thanks, JB

PS. Links also welcome.

IN PHP.INI
use safe_mode if possible
turn off register_globals (access variables with $_POST)
turn off display_errors (log errors instead of displaying)
error_reporting = E_ALL (to aid in building cleaner code)
turn on magic_quotes_gpc

IN YOUR CODE:
make a point of properly validating data that enters a form
use addslashes() when submitting to db
use post instead of get (not all that great)
consider https for areas that require passwords

slug58

Good Idea!! Some of us newbies need this information.

Maybe they should write some articles on how a secure setup should exist!! Could be a good multi-part article for PHPBuilder.com.

How about it??

Security settings for Apache, PHP and MySQL. Nothing crazy but just some of the basics so we all can keep our systems somewhat secure.

Thanks for listening!!

Anon

Good Idea,
Post the URL here when the site is up.

here is one tip,
IN YOUR CODE:

If you put your variables(eg. database passwords etc.) in a included file,
then make sure you use the .php extension on that file, and if posible put the file outside your web directory.

so you prevent the end user accessing the file through the client(browser).