You know what really grinds my gears? Reading “PHP Security” articles on the internet and discovering nothing but crap in them. I keep seeing people attempting to work around register_globals, or using regular expressions to attempt to filter data that they should merely be escaping.
The only good source I’ve seen is Chris Shiflett, and this is probably going to be the same as what he says:

  • Disable register_globals
  • Disable all magic_quotes (or include a stripslashes() in your input filtering process)
  • Filter all input (regexes are ok for this) to bring it into a “pure” state
  • Escape all output that can be traced back to user input, so malicious input cannot alter the syntactical structure of the output
    • SQL querys are output
    • HTML is output
    • Shell execution is output
  • Use SafeHTML if you really need to allow HTML syntax… but realize that you’re still not guaranteed to be safe and design your application to be minimally dangerous when compromised
  • Enable error_reporting(E_ALL) (E_STRICT too, if you’re using PHP5 exclusively)
  • Log errors internally instead of printing them for production servers
  • Define all variables before use
  • Don’t store sensitive information or logic client-side
    • Cookies can be hijacked
    • Javascript validation must be considered optional, and supported by server-side validation.
  • Be aware of character encodingsĀ 

The one thing I was looking for was session-ID protection, to minimize the damage possible if a malicious user does manage to grab cookies using a XSS exploit.