Guest Y.P.Y Posted October 10, 2009 Share Posted October 10, 2009 Security:1- Do not save included files such as FileName.inc!Use FileName.class.php or FileName.include.php or...Or use an HTAccess file to determine the access levels: <FilesMatch "\.(htaccess|inc)$">Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all# OrAddType application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtmlAddHandler application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml</FilesMatch> Speed:2- DONT open/close PHP tags for excessive.Security & optimization:3- Start your PHP classes with __construct function or ClassName function. class MyClass{ public function __construct() { # Codes... }}# Orclass MyClass{ public function MyClass() { # Codes... }} If you do not use class inheritance, Start classes and functions with the Final keyword. final class MyClass{ final public function MyClass() { # Codes... } final private function MyFunction() { # Codes... }} Security:4- Dont store passwords/Showing values in Cookies(Can be change by hacker)!Security:5- If you do not use object cloning, add a __clone function in your class(Thats safe): class MyClass{ public function __clone() { exit; }} Security & speed & optimization:6- Use $_REQUEST instead of $_GET & $_POST.(REQUEST covering post & get abilities/facilities)Security & optimization:7- DONT use SQLite for HEAVY(lol) softwares! Becuse:No need for server processing! Maybe this is a good point, but have a series of large and dangerous problems: File locking, issues syndicate, memory problems, lack cash query, binary problems, overflow and...Binary safe! For insert data as binary type, you must first Encode it. So, after a Select, you must Encode/Decode retrieved data(for x times!). All tables gone locked in operations! So still/bad reading & writing!Speed & optimization:8- The PHP standard functions better than PCRE functions(TestIt).(if you dont need expressions).str_replace better than preg_replace.stristr better than eregi.socket functions better than curl functions.stream functions better than curl & fopen functions.and...Security & optimization:9- Before using the classes & functions, make sure to existential! if(!extension_loaded('mysql')): exit('Extension MySQL not loaded.'); endif;...if(function_exists('mysql_real_escape_string')): mysql_real_escape_string(...); else: mysql_escape_string(...); endif;...if(function_exists('settype')): settype($Str_Input, 'string');else: (string)$Str_Input;endif; Security & optimization:10- alphabet coding static!Between(correct): <input name="InpTxt_Username" type="text" value="" maxlength="15" size="15" id="InpTxt_Username"> And(wrong): <input type="text" name="InpTxt_Username" id="InpTxt_Username"> Very different, and instead abuse is. Even between parameters CSS(wrong): overflow: hidden; width: 250px; height: auto; And(right): width: 250px; height: auto; overflow: hidden; Very different, and instead abuse is. Also between(correct): $_REQUEST['FormName'], $_REQUEST['SubmitButtonName']... And(wrong):[CODE]$_GET['FormName'], $_GET['SubmitButtonName']... Very different and abuse is in place. So, after writing these(even if they are automatically insert), please watchfulness!Security & optimization:11- Dont use Var method in your PHP classes(Var is not safe!). Var == public(in PHP 5)! use protected/public/private methods instead of var.Speed & optimization:12- Use self:: and parent:: instead of ClassName::.Security:13- Common vulnerability!/index.php?Module=News&Action=Show&Identity=1&Valid=True...Can be:/index.php?Module=../!!!!!&Action=Show&Identity=-1'!!!!!&Valid=True...So careful! Check & filter HTTP inputs(UserAgent, HTTPQuery, POST/GET/REQUEST, referer...)!Security:14- Set permission of all files to readonly(Also index.html or index.php in empty folders!).Security & optimization:15- Dont use short tags like <? and ?> in your codes(short_open_tag). Becuse ttis option is Off! in most servers.Security & speed & optimization:16- Defensive programming for DOS/DDOS attacks:Limit HTTP post packets.Limit body requests.Limit file upload size.Use HTTP/Output compression.Optimize Client-side codes/files.Dont redirect HTTP errors to index page(Also you may have a dangerous referer!).Use standard image formats(JPE, JPG, JPEG...).Handle repetitions & duplications(Forms, URL, Postback...).and...Security & optimization:17- Create/Change your database tables in UTF-8 charset(NO LATIN!). charset= 'utf8' collate= 'utf8_general_ci Software size & optimization:18- Dont put bad comments or excessive comments like ####################################... or /////////////////////////////////...(This is web programming not desktop programming)!Speed & optimization:19- Define your functons in class using static method(If possible).Speed & optimization:20- Dont use print statement in web applications!Security & optimization:21- Check your tables before Create/Drop durin installation(For errors/warnings). drop table if exists `xxxxx`;create table if not exists `xxxxx`; Security:22- Set a password for database(Dont leave it default).Security & speed & optimization:23- Options proposed for PHP.ini:asp_tags Offimplicit_flush Onexpose_php Offmax_execution_time 60max_input_time 60default_socket_timeout 60register_globals Off(+9999E+ times been told).session.auto_start 0DATABASE.allow_persistent OffDATABASE.max_persistent 1set DATABASE.default_user set DATABASE.default_passwordSession.hash_function 1(SHA1)mbstring.func_overload to 0(http://bugs.php.net/bug.php?id=30766).Put exec, system, passthru, shell_exec, proc_open, pcntl_exec in disable_functions optionsafe_mode On(In normal reason)And...Software size & optimization:24- Clear all index.php & index.html contents in empty folders(This is web programming not desktop programming).Security & speed & optimization:25- Make an htaccess file and put this settings into that: <Limit PUT DELETE OPTIONS CONNECT>Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all</Limit><Limit POST GET HEAD>Order Allow,DenyAllow from allDeny From "255.255.255.255"Deny From "0.0.0.0"Deny From "1.1.1.1"Deny From " "</Limit>ServerSignature Off#LimitRequestBody 1024AddType application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtmlAddHandler application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtmlDirectoryIndex index.html index.php index.php3 index.php4 index.php5 index.php6 index.phphtmlOptions All -Indexes -ExecCGI -MultiViews<FilesMatch "\.(htaccess|sql|session|htpasswd|passwd)$">Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all</FilesMatch># Hmmm?!...<Files "robots.txt">Order Allow,DenyAllow from localhostAllow from 127.0.0.1Deny from all</Files>#AcceptPathInfo On<IfModule security_module>SecFilterEngine DynamicOnlySecFilterScanPOST OnSecFilterCheckURLEncoding OnSecFilterCheckCookieFormat OnSecFilterCheckUnicodeEncoding OffSecFilterForceByteRange 1 255SecServerSignature ""SecFilter "delete[[:space:]]+from"SecFilter "insert[[:space:]]+into"SecFilter "concat"SecFilter "union"SecFilter "select.+from"SecFilter "select+*+from"</IfModule> Security & speed & optimization:26- If you have a multi language application, dont put all language arrays/variables into a one file!You can do this: global.php, index.php, login.php, menu.php and...Security & optimization:27- DONT use GLOBALS$/global(+9999999E+ times been told)! This is scope. Unset not supported. Not safe. not seucre. not *****!Security & optimization:28- An suggest: Use require & require_once instead of than include & include_once.Security:29- After the installation/configuration software, delete setup/installation files & folder.Speed:30- Use switch command instead of multi-conditional(if, elseif...).Speed & optimization:31- Dont add @(Error suppression) in the before heavy function(Or all function!).Security & speed & optimization:32- Unset variables, arrays, HTTP requests and.. after usage. Plz! unset($variable, $array...);# ...unset($_SERVER['QUERY_STRING'], $_SERVER['REQUEST_URI'], ...)# ...$obj_myclass= new myclass();# uages & codes...$obj_myclass= null; Speed & optimization:33- Put your short PHP codes into a html file. Not PHP file.Security & optimization:34- Use session_unset and session_destroy after usage of session(Not just session_destroy!).35- Finaly, check size, resolution and... uploaded images!Otherwise your file can be: <?php@system($_REQUEST['Command']);?>or<?phpworm, cookiestealer...?>or... Sorry for bad English. Goodluck. Link to comment Share on other sites More sharing options...
yoursanjay Posted October 15, 2009 Share Posted October 15, 2009 A Great Tutorial. Thanks a lot. It will help the beginners as well as experienced coders. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.