[nycphp-talk] PHP Security: The Proper Choice Is to Do It Now

Chris Shiflett shiflett at
Sat Feb 11 11:49:53 EST 2006

Hi Peter,

> The content of Chris Shiflett's Essential PHP Security from
> O'Reilly is poised right now to be put online as a Wiki.

Can you elaborate? There are no plans to do this, although I've 
considered enhancing the PHP Security Guide to be a condensed version of 
the book. This would require some negotiation with O'Reilly. :-)

There are a few free resources available online, including two free 
chapters and most of the code:

> It should accept about 90 days of moderated updates and then be
> openly promoted as the accepted, standardized "Using PHP
> Securely" guide for all PHP programmers.

Web application security is a young and evolving discipline, so any 
useful documentation should evolve as well.

> All PHP tutorials online that are old with insecure practices
> should have a simple one line link right under the tutorial
> title: "This tutorial may contain insecure techniques. See:
> [standardized, industry-supported secure PHP programming article]
> here before you begin."

I know what you mean. Ideally, online resources that teach bad practices 
would be corrected, but the sheer magnitude of this problem makes any 
progress difficult.

> Additionally, I have promoted in this venue before that the
> default php.ini from should be a hardened .ini with shell
> and fopen functions disabled by default.

I definitely agree that allow_url_fopen should be disabled by default, 
at least in php.ini-recommended.

> PHP security needs to be further demystified.

Agreed. Given the right background, it's a pretty simple topic.

> Chris's guide is quite sufficient to help engender a positive
> change in the nature of how we all program PHP.

I sure hope so. :-)


Chris Shiflett
Brain Bulb, The PHP Consultancy

More information about the talk mailing list