How to write secure PHP scripts
If your scripts are set to 777 (you can set and view permissions with your
favourite ftp client) then the user nobody, ie people on your site, can
potentially edit and execute files. Chmod’ing all your scripts to 755 will
prevent this.
If you are importing user content from flat files, dont use include as it will
execute php instructions. Instead read the files.
Enabling register_global variables in php.ini makes coding easier, as you
don’t need to declare varibles to be able to accept them from user input.
Howevr, this leaves your code open to attacks (Eg setting password_ok=1) unless
you are very careful.
If you pass user data to exec or system they can execute shell commands, for
example to delete all your files. You may also wish to disable such functions
in php.ini with
disable_functions = system,exec
Attackers may attempt to inject data into your sql tables, for examples
overwriting the administrator password. To prevent this parse user input, with
functions such as addslashes()
If you display php errors to users you may be giving out confidential
information