Yet another article that caught my attention. Definitely a good read. A quick explanation of almost everything that developers must look out for. Straight to the point.
This article shows the basic steps in securing PHP, one of the most popular scripting languages used to create dynamic web pages. In order to avoid repeating information covered in the previous article, only the main differences related to the process of securing Apache will be described.
Like in the previous article, the target operating system is FreeBSD 4.7. However, the methods presented should also apply on most modern UNIX and UNIX-like systems. This article also assumes that a MySQL database is installed on the host, and is placed in the “/usr/local/mysql” directory.
Generally, functionality will be very similar to the one described in the previous article. However, there are some changes:
* The web server must handle the PHP scripting language
* The PHP component must be able to read and write users’ data in a locally installed MySQL database
In case of security assumptions, the following have been added:
* The PHP configuration should take advantage of built-in security mechanisms
* PHP scripts must be executed in a chrooted environment
* The Apache server must reject all requests (GET and POST), which contain HTML tags (possible Cross-Site-Scripting attack) or apostrophe/quotation marks (possible SQL Injection attack)
* No PHP warning or error messages should be shown to the web application’s regular users
* It should be possible to store incoming GET and POST requests into a text file which will make it possible to use additional, host-based intruder detection system (HIDS), e.g. swatch.