17     Security concerns

This is NOT the latest copy of this book; click here for the latest version.

The Internet is sadly not a safe place, mostly thanks to a small percentage of its users who feel the need to attack other users electronically. The reasons for the various attacks vary - sometimes it is for monetary gain, where attackers find holes in your code that they can exploit to their advantage, and other times it is just for fun. Either way, computer security has been a hot topic for years, and does not seem to be improving all that much.

This chapter is split into three distinct parts: part one discusses how to write secure PHP code, which includes methods of programming that are hard if not impossible to crack, part two discusses how to host PHP on a server where other people can write scripts, and part three discusses using PHP to encrypt and decrypt data.

Topics covered in this chapter are:

• Why register_globals matters

• How to program secure PHP

• Considerations for people who host others' web sites

• Safe mode PHP

• Encryption, simple and advanced

Chapter contents

17.1. Programming secure PHP

17.1.1. register_globals
17.1.2. Choose your file extension carefully
17.1.3. Put key files outside your document root
17.1.4. Remember that most files are public
17.1.5. Hide your identity
17.1.6. Hiding PHP
17.1.7. Restrict general database access
17.1.8. Restrict PHP database access
17.1.9. Denial of service
17.1.10. Pre-initialise important variables to safe values
17.1.11. Be wary of session fixation

17.2. Hosting PHP

17.2.1. Understanding the concerns
17.2.2. Safe mode

17.3. Protecting your data

17.3.1. Data encryption
17.3.2. Terms you need to know
17.3.3. Asymmetric vs. Symmetric
17.3.4. Basic symmetric encryption in action: str_rot13()
17.3.5. Advanced symmetric encryption
17.3.6. Symmetric decryption: mdecrypt_generic()
17.3.7. Changing encryption algorithm
17.3.8. Changing block cipher mode

17.4. Hardened PHP
17.5. Summary
17.6. Exercises
17.7. Further reading
17.8. Next chapter