Skip to main content


Personal bookmark: https://www.sqreen.com/checklists/php-security-checklist.html

I doubt I can apply it in its entirety to #Friendica without major rewrites, but I'll try my best!

#php #webdev #security

It are good advises but it is a bit naive to mention escaping data when it does not help. Escaping data is good to do if it needs to be displayed correctly and saved into databases, that is all.

To prevent misbehaving data you need to filter it before you store it.

And there is one important one I miss too. If people use the readfile function to load files that are stored above the document root the the need to strip it from php code since parsing it will execute the code.

You do not have to trust me, just dive into the subjects a bit and hear a bit more about the topics from other experts. Escaping data does not prevent problems. Xss can be inserted into pdo strings (if you know what your are doing). Not knowing how queries work should also prevent people from even trying to write them.

You may be confusing XSS and SQL Injection. PDO bound parameters prevents the latter, but doesn't need to do anything about the former. Context-sensitive escaping is what will prevent potentially harmful strings safely stored in the database with PDO to affect end users.

And not knowing anything about something has never prevented anyone from trying it anyway. Hence the ORM suggestion.

I'll just piggy-back on the personal bookmark here, exactly what I needed...

This website uses cookies to recognize revisiting and logged in users. You accept the usage of these cookies by continue browsing this website.