
Comprehensive PHP Security Checklist - seiha
http://www.sk89q.com/2009/08/definitive-php-security-checklist/
======
wbond
This list includes a lot of PHP and web application security items, but is
missing some topics and is light on how to properly handle situations. A few
of the topics missing important information include:

    
    
      - Pseudo-random number generator issues
      - Email injection
      - Cross-site session transfer
      - Password hashing
    

I recently did a talk on PHP security at the Boston PHP Meetup, and my slides
are available at <http://wbond.net/security/>.
<http://flourishlib.com/docs/Security> includes more information about many of
the topics I covered with links to learn more.

~~~
carbocation
Stream of consciousness post here. For your first bullet, people should be
aware of mt_rand()'s superiority to rand(). For your fourth bullet, people
should be aware of hmac. (Am suggesting that awareness of these should be a
necessity, though not sufficient for some purposes.)

Edit: Just read your powerpoint - it's a wonderful overview, with brief code
samples. People getting started with this broad topic should definitely give
it a read. And now I'm sad I missed your live talk a few weeks ago.

~~~
mattyb
For the first bullet, I usually just do the following:

    
    
      dd if=/dev/urandom ibs=1000 count=1 2>/dev/null | tr -dc '0-9' | fold -w[number of digits you need] 
    

For the fourth, I agree with wbond: use bcrypt when possible.

Also, slide 27 should probably say 'fingerprint' in the second section.

------
mcaruso
"Use a “safe” encoding for your page (such as ISO-8859-1) or otherwise verify
that the content of inputted data to see if it valid (including if you use
UTF-8). This is because certain invalid character sequences can cause the next
character(like < (!)) to be ignored in some encodings."

Could anyone elaborate on this? What are the 'dangers' of UTF-8 exactly? The
author suggests that certain UTF-8 characters can mess with the markup. How?

