Forgot your password?
typodupeerror
PHP Programming Security

PHP Security Consortium Launched 64

Posted by timothy
from the floodgates dept.
Chris Shiflett writes "We're happy to announce the official launch of the PHP Security Consortium (PHPSC). Our mission is 'to promote secure programming practices within the PHP community through education and exposition while maintaining high ethical standards.' You can read the official press release or visit us at phpsec.org."
This discussion has been archived. No new comments can be posted.

PHP Security Consortium Launched

Comments Filter:
  • Re:Good to see (Score:5, Informative)

    by shiflett (151538) on Monday January 31, 2005 @11:14PM (#11536462) Homepage

    I guess you missed the PHP Security Guide [phpsec.org]?

    :-)

  • by shiflett (151538) on Monday January 31, 2005 @11:51PM (#11536762) Homepage
    Drop all insecure legacy features like "register globals".

    As mentioned here [phpsec.org], we recommend that register_globals be left disabled. It has been disabled by default in PHP since version 4.2.0.

    HTML ESCAPE BY DEFAULT.

    This is a poor approach. Data should be filtered on input and properly escaped for its particular purpose on output. Escaping data for one particular purpose on input requires developers to unescape it for any other use, and this unnecessary complexity poses a security risk. Properly educating users as to what functions are there to help properly escape data is our approach. For example, want to avoid XSS? Escape your (already filtered) data with htmlentities(). Want to avoid SQL injection? Use an escaping function specific to your database of choice such as mysql_escape_string().

    Then I'll start to take PHP seriously.

    We are not an advocacy group. Our purpose is to promote secure programming practices within the PHP community, not promote PHP to other groups. PHP is already taken very seriously by some of the web's largest and most heavily trafficked sites.

  • by Anonymous Coward on Tuesday February 01, 2005 @05:19AM (#11538234)
    Give us some free and good tutorials online as to how to secure PHP code. Show us some old exploits and how to avoid falling in the same traps like that again.

    http://phpsec.org/projects/guide/ [phpsec.org]
    http://phpsec.org/library/ [phpsec.org]

    Give courses all over the world that go in-depth regarding these matters.

    I'm not sure if this counts, but Zend offers online training [zend.com], and one of their advanced courses is Securing PHP Code [zend.com].

    I love working with PHP but the constant screwing around with globals, superglobals and what-have-ye-not really make security a nightmare on it.

    There are two scopes. If that's too many, programming might just not be your thing.

    Those among us who are serious about PHP want actions, not propaganda.

    This is in reply to the bit you quoted? If so, perhaps this will help:

    http://www.answers.com/propaganda [answers.com]

Money doesn't talk, it swears. -- Bob Dylan

Working...