[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now

Peter Sawczynec ps at
Mon Feb 6 15:35:20 EST 2006

The content of Chris Shiflett's Essential PHP Security from O'Reilly is
poised right now to be put online as a Wiki. 
It should accept about 90 days of moderated updates and then be openly
promoted as the accepted, standardized "Using PHP Securely" guide for all
PHP programmers.
Then Rasmus and Zeev (and Hans) have to step up and openly support this type
of essential security awareness.
All PHP user groups (like NYPHP) should openly, actively promote secure
programming awareness right in the membership documentation and on every
home page. should have Security as a menu item in the main horizontal menu
right there with Downloads and Documentation.
All PHP tutorials online that are old with insecure practices should have a
simple one line link right under the tutorial title:
"This tutorial may contain insecure techniques. See: [standardized,
industry-supported secure PHP programming article] here before you begin."
Can't wait for PHP 6 and Sandbox environments.
Additionally, I have promoted in this venue before that the default php.ini
from should be a hardened .ini with shell and fopen functions
disabled by default. Open_basedir should expect a mandatory value. 
Save errors to a log should be the default, with the alternative option to
show on the screen. Error_log should expect mandatory value.
Until further refinement safe_mode=on.
We have to start somewhere. We have to start now. We can't wait for some
incredible overarching solution or framework that is just going to appear
because that is not the way most progress happens.
Most progress, even in technology, occurs when a person adds another tweak,
another enhancement, another update. 
PHP security needs to be further demystified. Security has to be a basic
building block comparable to learning datatypes.
Chris's guide is quite sufficient to help engender a positive change in the
nature of how we all program PHP.
Someday I really, really want to have a safe online, PHP-driven, Google-like
personal searchable database that catalogs my entire
financial/personal/health/educational/job history and automatically pulls in
the XML-based attributes of all my belongings so that I can
reference/manage/schedule/transfer/purchase/send anything from anywhere in
the world on my biometrically protected cellular/pda/player. 
Only intense trusted security is going to make that possible.
Start now yourself. Employ and propagate essential PHP security everywhere.

Warmest regards,

Peter Sawczynec,
Technology Director
_Design & Interface
_Database Management
ps at

More information about the talk mailing list