Introduction
PHP stands for “PHP: Hypertext Preprocessor” and is a popular
Open Source scripting language. It is mainly aimed at developing web
applications and dynamic web content. Therefore it can easily be embedded into
HTML pages. Similar systems are Microsoft’s ASP.NET and JSP from Sun
Microsystems. Additional competitors are Macromedia ColdFusion and the application
server Zope based on the Python scripting language.
The focus of this paper is on secure programming practices
in PHP.
The secure configuration of both the web server and the PHP interpreter
are not within the main scope of this document. However, such topics are addressed
wherever they affect the programmer. For example, administrators wish to turn
off certain features of the PHP interpreter in order to secure the system. To
allow such hardening measures it is important that these features are not used
by the PHP developer.
PHP as a programming language is easy to learn and easy to
use. This is also the reason for its popularity. Unfortunately, PHP does not
only make it easy to write applications, it also comes with certain features
that make it easy to write insecure code.
This paper gives guidelines on how to avoid dangerous language
constructs and features. Moreover, it gives instructions on how to perform
proper security checks that help to defend against common attacks. Each section
deals with a specific security problem or function group and is accompanied by
a list of recommendations. These recommendations can be used as a checklist
during the development phase and for security assessments.