Introduction

PHP stands for “PHP: Hypertext Preprocessor” and is a popular Open Source scripting language. It is mainly aimed at developing web applications and dynamic web content. Therefore it can easily be embedded into HTML pages. Similar systems are Microsoft’s ASP.NET and JSP from Sun Microsystems. Additional competitors are Macromedia ColdFusion and the application server Zope based on the Python scripting language.

The focus of this paper is on secure programming practices in PHP.

 The secure configuration of both the web server and the PHP interpreter are not within the main scope of this document. However, such topics are addressed wherever they affect the programmer. For example, administrators wish to turn off certain features of the PHP interpreter in order to secure the system. To allow such hardening measures it is important that these features are not used by the PHP developer.

PHP as a programming language is easy to learn and easy to use. This is also the reason for its popularity. Unfortunately, PHP does not only make it easy to write applications, it also comes with certain features that make it easy to write insecure code.

This paper gives guidelines on how to avoid dangerous language constructs and features. Moreover, it gives instructions on how to perform proper security checks that help to defend against common attacks. Each section deals with a specific security problem or function group and is accompanied by a list of recommendations. These recommendations can be used as a checklist during the development phase and for security assessments.