Code review advice sought!
Dec. 28th, 2005 09:12 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
annathepiperI've just posted about this over on ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-community.gif)
php, but I thought I'd post it here too out of general curiosity and because I know there are several geeks on my Friends list! This is aimed at any of you folks who have clueage about Debian Linux, Apache, and PHP combined. ![[livejournal.com profile]](https://www.dreamwidth.org/img/external/lj-userinfo.gif)
fenton, fleetfootmike, technoshaman, and lokifrost, I am looking hopefully in your direction. ;) Though anyone else is welcome to jump in on this too!
I'm trying to prep for doing a hardcore review of all PHP code in pages on our webserver before we allow PHP to go live again, and to try to nail down which version of PHP I ought to be installing once I'm prepared to do that. Questions to you all:
1) Since PHP 5.1.1 is not available in package form yet, are there any known big problems with 5.0 that might make it necessary for me to build 5.1.1 by hand?
2) I've been reading up in the Security chapter of the docs on php.net, as well as the SecurePHP wiki, and have come up with a list of things I know I'd like to look at. Can anyone recommend things besides these items that I ought to look at?
- Use .htaccess to control who gets to look at source code
- Take sensitive data, e.g., passwords, out of public web space
- Verify that register_globals is OFF
- Validate all user data
- Initialize variables
- Turn off magic quotes
- Use addslashes and stripslashes as needed
- Set expose_php = off in php.ini
- Log errors out to files not in public space rather than displaying them on the page
- Use $_POST, $_GET, $_COOKIE, and $_SESSION for global variables
- Use htmlspecialchars() for hidden form values
- For URL stuff, use both htmlspecialchars() AND urlencode(); the latter should be for specific variables in the URL, and the former for the entire URL
Thank you very much in advance for any pointers!
php, but I thought I'd post it here too out of general curiosity and because I know there are several geeks on my Friends list! This is aimed at any of you folks who have clueage about Debian Linux, Apache, and PHP combined. fenton, fleetfootmike, technoshaman, and lokifrost, I am looking hopefully in your direction. ;) Though anyone else is welcome to jump in on this too!I'm trying to prep for doing a hardcore review of all PHP code in pages on our webserver before we allow PHP to go live again, and to try to nail down which version of PHP I ought to be installing once I'm prepared to do that. Questions to you all:
1) Since PHP 5.1.1 is not available in package form yet, are there any known big problems with 5.0 that might make it necessary for me to build 5.1.1 by hand?
2) I've been reading up in the Security chapter of the docs on php.net, as well as the SecurePHP wiki, and have come up with a list of things I know I'd like to look at. Can anyone recommend things besides these items that I ought to look at?
- Use .htaccess to control who gets to look at source code
- Take sensitive data, e.g., passwords, out of public web space
- Verify that register_globals is OFF
- Validate all user data
- Initialize variables
- Turn off magic quotes
- Use addslashes and stripslashes as needed
- Set expose_php = off in php.ini
- Log errors out to files not in public space rather than displaying them on the page
- Use $_POST, $_GET, $_COOKIE, and $_SESSION for global variables
- Use htmlspecialchars() for hidden form values
- For URL stuff, use both htmlspecialchars() AND urlencode(); the latter should be for specific variables in the URL, and the former for the entire URL
Thank you very much in advance for any pointers!
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2005-12-29 06:35 am (UTC)Most webmail needs PHP; no two ways around that. Other than that, though, really...
If you really have to have PHP, and you have to resort to source, use checkinstall to make a .deb of it; that'll make it easy to manage.
And tell me this is Breezy Badger or at least Etch and not Sarge. It will help a lot keeping the versionage up to date without using backports.
no subject
Date: 2005-12-29 04:05 pm (UTC)Why would making a .deb of the PHP source be useful?
I'm not aware of what Breezy Badger is...?