PHP Best Practices in Security – Part 2
If your web server’s access permissions are wrong, it will be easier for somebody to take control over your server. So, next 3 advices are how to fix your access rights:
1. Do not allow PHP files to be writable.
2. Do not allow executable and writeable files in your web root.
3. Do not allow external read access to files with classes, application and configuration code.
4. When magic_quotes is turned on, it automatically escapes incoming data to the PHP script. But it’s not a good idea to be used, because:
- if you rely on it to be turned off or on, your code won’t be portable. You can use get_magic_quotes_gpc() to check for this.
- it affects the performance, because not all the escaping data is inserted in database.
- not all data need escaping, ex. it’s annoying to see \’ in email
Also, magic_quotes will be removed in PHP 6.0.0.
5. register_globals is still used by many developers. But it may pollutes the global namespace and could overwrite not properly initialized variables. So, it should be turned off, too. register_globals will be removed in PHP 6.0.0.
6. Cookies could easily be modified by users or could be faked very easily by automated scripts, so you’d better do not store important information in cookies.
I hope you’ve found something useful in the advices above. You can check out also PHP Best Practices in Security – Part 1.
The issue: register_globals is still used in many applications and even for developing
- Pollutes the global namespace.
- Can overwrite not properly initialized variables.
The solution: Turn off register_globals in development and production environments.
- Workarounds could overwrite global variables before PHP 4.4.1 and PHP 5.0.5
- Still possible with own importing mechanisms.
- Fixed in extract() and import_request_variables().
register_globals and magic_quotes will be removen in PHP 6
