[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now
shiflett at php.net
Sat Feb 11 11:49:53 EST 2006
> The content of Chris Shiflett's Essential PHP Security from
> O'Reilly is poised right now to be put online as a Wiki.
Can you elaborate? There are no plans to do this, although I've
considered enhancing the PHP Security Guide to be a condensed version of
the book. This would require some negotiation with O'Reilly. :-)
There are a few free resources available online, including two free
chapters and most of the code:
> It should accept about 90 days of moderated updates and then be
> openly promoted as the accepted, standardized "Using PHP
> Securely" guide for all PHP programmers.
Web application security is a young and evolving discipline, so any
useful documentation should evolve as well.
> All PHP tutorials online that are old with insecure practices
> should have a simple one line link right under the tutorial
> title: "This tutorial may contain insecure techniques. See:
> [standardized, industry-supported secure PHP programming article]
> here before you begin."
I know what you mean. Ideally, online resources that teach bad practices
would be corrected, but the sheer magnitude of this problem makes any
> Additionally, I have promoted in this venue before that the
> default php.ini from php.net should be a hardened .ini with shell
> and fopen functions disabled by default.
I definitely agree that allow_url_fopen should be disabled by default,
at least in php.ini-recommended.
> PHP security needs to be further demystified.
Agreed. Given the right background, it's a pretty simple topic.
> Chris's guide is quite sufficient to help engender a positive
> change in the nature of how we all program PHP.
I sure hope so. :-)
Brain Bulb, The PHP Consultancy
More information about the talk