Skip to main content


 
Personal bookmark: https://www.sqreen.com/checklists/php-security-checklist.html

I doubt I can apply it in its entirety to #Friendica without major rewrites, but I'll try my best!

#php #webdev #security

It are good advises but it is a bit naive to mention escaping data when it does not help. Escaping data is good to do if it needs to be displayed correctly and saved into databases, that is all.

To prevent misbehaving data you need to filter it before you store it.

Do not trust openbase dir. It has been a problem several times.
PDO is not a safe haven, you still need to filter your strings.

Did I overlook the fact that session id's need to be refreshed/renewed on every pageview?

Why will an ORM protect me?

And there is one important one I miss too. If people use the readfile function to load files that are stored above the document root the the need to strip it from php code since parsing it will execute the code.

And there is one important one I miss too. If people use the readfile function to load files that are stored above the document root the the need to strip it from php code since parsing it will execute the code.

@Hans W You are simply wrong about most of what you said:
  • Yes, you can do some filtering on input, but when dealing with most arbitrary strings you're pretty much powerless on user input. In these cases, you have to escape the data on display, depending on the context. For example, you don't escape the same way a string that's meant to be in an HTML attribute value than in a text node (like most post content). You can't always make this distinction when you store the data, and it's going to be escaped in the database, which is useless and hard to read manually.
  • PDO can prevent you from concatenating raw user input in SQL queries.
  • ORM removes the need to write SQL queries and as such writing insecure SQL queries.
  • Not trusting open_basedir doesn't prevent you from setting it in the first place.



This doesn't inspire me trust towards the two remaining claims (session Ids and readfile executing PHP) I have no personal experience about.

You do not have to trust me, just dive into the subjects a bit and hear a bit more about the topics from other experts. Escaping data does not prevent problems. Xss can be inserted into pdo strings (if you know what your are doing). Not knowing how queries work should also prevent people from even trying to write them.

You may be confusing XSS and SQL Injection. PDO bound parameters prevents the latter, but doesn't need to do anything about the former. Context-sensitive escaping is what will prevent potentially harmful strings safely stored in the database with PDO to affect end users.

And not knowing anything about something has never prevented anyone from trying it anyway. Hence the ORM suggestion.

I'll just piggy-back on the personal bookmark here, exactly what I needed...

This website uses cookies to recognize revisiting and logged in users. You accept the usage of these cookies by continue browsing this website.