Securing your PHP application Chencha Jacob August 4, 2015 1 

Basics Basics Authentication - Minimum length password - Combination characters passwords - Don t store in session - Hash Bcrypt - Salt - Expiring passwords - 2 step authentication 2 

Errors Errors - Make sure errors disabled - Make sure errors logged 3 

Servers Servers - Don t put application files in public folder - Turn off execution on all files except your index file on public folder - Make sure server is in a secure location 4 

Variables Variables - Glean all globals _GET, $_POST, $_COOKIE, and $_REQUEST - Be wary of automatically set variables as well $_SERVER, $_ENV - Be aware of incoming data with executable code - Make generous use of *filter_var* function - Watch out for extreme input values - Verify that the encoding is what you expect. Preferrably limit to UTF-8 5 

XSS XSS - Sanitize all incoming html and css - validate all urls to ensure only safe protocols 6 

Files Files - Don t trust self declared *mime* type - Verify size before accepting. This should preferably happen on many levels - Avoid code files *php* *js* *net* etc 7