1- Do not save included files such as FileName.inc!
Use FileName.class.php or FileName.include.php or...
Or use an HTAccess file to determine the access levels:
Speed:
2- DONT open/close PHP tags for excessive.
Security & optimization:
3- Start your PHP classes with __construct function or ClassName function.
If you do not use class inheritance, Start classes and functions with the Final keyword.
Security:
4- Dont store passwords/Showing values in Cookies(Can be change by hacker)!
Security:
5- If you do not use object cloning, add a __clone function in your class(Thats safe):
Security & speed & optimization:
6- Use $_REQUEST instead of $_GET & $_POST.(REQUEST covering post & get abilities/facilities)
Security & optimization:
7- DONT use SQLite for HEAVY(lol) softwares! Becuse:
No need for server processing! Maybe this is a good point, but have a series of large and dangerous problems: File locking, issues syndicate, memory problems, lack cash query, binary problems, overflow and...
Binary safe! For insert data as binary type, you must first Encode it. So, after a Select, you must Encode/Decode retrieved data(for x times!).
All tables gone locked in operations! So still/bad reading & writing!
Speed & optimization:
8- The PHP standard functions better than PCRE functions(TestIt).
(if you dont need expressions).
str_replace better than preg_replace.
stristr better than eregi.
socket functions better than curl functions.
stream functions better than curl & fopen functions.
and...
Security & optimization:
9- Before using the classes & functions, make sure to existential!
Security & optimization:
10- alphabet coding static!
Between(correct):
And(wrong):
Even between parameters CSS(wrong):
Also between(correct):
So, after writing these(even if they are automatically insert), please watchfulness!
Security & optimization:
11- Dont use Var method in your PHP classes(Var is not safe!). Var == public(in PHP 5)! use protected/public/private methods instead of var.
Speed & optimization:
12- Use self:: and parent:: instead of ClassName::.
Security:
13- Common vulnerability!
/index.php?Module=News&Action=Show&Identity=1&Valid=True...
Can be:
/index.php?Module=../!!!!!&Action=Show&Identity=-1'!!!!!&Valid=True...
So careful! Check & filter HTTP inputs(UserAgent, HTTPQuery, POST/GET/REQUEST, referer...)!
Security:
14- Set permission of all files to readonly(Also index.html or index.php in empty folders!).
Security & optimization:
15- Dont use short tags like <? and ?> in your codes(short_open_tag). Becuse ttis option is Off! in most servers.
Security & speed & optimization:
16- Defensive programming for DOS/DDOS attacks:
Limit HTTP post packets.
Limit body requests.
Limit file upload size.
Use HTTP/Output compression.
Optimize Client-side codes/files.
Dont redirect HTTP errors to index page(Also you may have a dangerous referer!).
Use standard image formats(JPE, JPG, JPEG...).
Handle repetitions & duplications(Forms, URL, Postback...).
and...
Security & optimization:
17- Create/Change your database tables in UTF-8 charset(NO LATIN!).
Software size & optimization:
18- Dont put bad comments or excessive comments like ####################################... or /////////////////////////////////...(This is web programming not desktop programming)!
Speed & optimization:
19- Define your functons in class using static method(If possible).
Speed & optimization:
20- Dont use print statement in web applications!
Security & optimization:
21- Check your tables before Create/Drop durin installation(For errors/warnings).
Security:
22- Set a password for database(Dont leave it default).
Security & speed & optimization:
23- Options proposed for PHP.ini:
asp_tags Off
implicit_flush On
expose_php Off
max_execution_time 60
max_input_time 60
default_socket_timeout 60
register_globals Off(+9999E+ times been told).
session.auto_start 0
DATABASE.allow_persistent Off
DATABASE.max_persistent 1
set DATABASE.default_user
set DATABASE.default_password
Session.hash_function 1(SHA1)
mbstring.func_overload to 0(http://bugs.php.net/bug.php?id=30766).
Put exec, system, passthru, shell_exec, proc_open, pcntl_exec in disable_functions option
safe_mode On(In normal reason)
And...
Software size & optimization:
24- Clear all index.php & index.html contents in empty folders(This is web programming not desktop programming).
Security & speed & optimization:
25- Make an htaccess file and put this settings into that:
Security & speed & optimization:
26- If you have a multi language application, dont put all language arrays/variables into a one file!
You can do this: global.php, index.php, login.php, menu.php and...
Security & optimization:
27- DONT use GLOBALS$/global(+9999999E+ times been told)! This is scope. Unset not supported. Not safe. not seucre. not *****!
Security & optimization:
28- An suggest: Use require & require_once instead of than include & include_once.
Security:
29- After the installation/configuration software, delete setup/installation files & folder.
Speed:
30- Use switch command instead of multi-conditional(if, elseif...).
Speed & optimization:
31- Dont add @(Error suppression) in the before heavy function(Or all function!).
Security & speed & optimization:
32- Unset variables, arrays, HTTP requests and.. after usage. Plz!
Speed & optimization:
33- Put your short PHP codes into a html file. Not PHP file.
Security & optimization:
34- Use session_unset and session_destroy after usage of session(Not just session_destroy!).
35- Finaly, check size, resolution and... uploaded images!
Otherwise your file can be:
Use FileName.class.php or FileName.include.php or...
Or use an HTAccess file to determine the access levels:
<FilesMatch "\.(htaccess|inc)$"> Order Allow,Deny Allow from localhost Allow from 127.0.0.1 Deny from all # Or AddType application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml AddHandler application/x-httpd-php .inc .php .php3 .php4 .php5 .php6 .phphtml </FilesMatch>
Speed:
2- DONT open/close PHP tags for excessive.
Security & optimization:
3- Start your PHP classes with __construct function or ClassName function.
class MyClass { public function __construct() { # Codes... } } # Or class MyClass { public function MyClass() { # Codes... } }
If you do not use class inheritance, Start classes and functions with the Final keyword.
final class MyClass { final public function MyClass() { # Codes... } final private function MyFunction() { # Codes... } }
Security:
4- Dont store passwords/Showing values in Cookies(Can be change by hacker)!
Security:
5- If you do not use object cloning, add a __clone function in your class(Thats safe):
class MyClass { public function __clone() { exit; } }
Security & speed & optimization:
6- Use $_REQUEST instead of $_GET & $_POST.(REQUEST covering post & get abilities/facilities)
Security & optimization:
7- DONT use SQLite for HEAVY(lol) softwares! Becuse:
No need for server processing! Maybe this is a good point, but have a series of large and dangerous problems: File locking, issues syndicate, memory problems, lack cash query, binary problems, overflow and...
Binary safe! For insert data as binary type, you must first Encode it. So, after a Select, you must Encode/Decode retrieved data(for x times!).
All tables gone locked in operations! So still/bad reading & writing!
Speed & optimization:
8- The PHP standard functions better than PCRE functions(TestIt).
(if you dont need expressions).
str_replace better than preg_replace.
stristr better than eregi.
socket functions better than curl functions.
stream functions better than curl & fopen functions.
and...
Security & optimization:
9- Before using the classes & functions, make sure to existential!
if(!extension_loaded('mysql')): exit('Extension MySQL not loaded.'); endif; ... if(function_exists('mysql_real_escape_string')): mysql_real_escape_string(...); else: mysql_escape_string(...); endif; ... if(function_exists('settype')): settype($Str_Input, 'string'); else: (string)$Str_Input; endif;
Security & optimization:
10- alphabet coding static!
Between(correct):
<input name="InpTxt_Username" type="text" value="" maxlength="15" size="15" id="InpTxt_Username">
And(wrong):
<input type="text" name="InpTxt_Username" id="InpTxt_Username">Very different, and instead abuse is.
Even between parameters CSS(wrong):
overflow: hidden; width: 250px; height: auto;And(right):
width: 250px; height: auto; overflow: hidden;Very different, and instead abuse is.
Also between(correct):
$_REQUEST['FormName'], $_REQUEST['SubmitButtonName']... And(wrong): [CODE]$_GET['FormName'], $_GET['SubmitButtonName']...Very different and abuse is in place.
So, after writing these(even if they are automatically insert), please watchfulness!
Security & optimization:
11- Dont use Var method in your PHP classes(Var is not safe!). Var == public(in PHP 5)! use protected/public/private methods instead of var.
Speed & optimization:
12- Use self:: and parent:: instead of ClassName::.
Security:
13- Common vulnerability!
/index.php?Module=News&Action=Show&Identity=1&Valid=True...
Can be:
/index.php?Module=../!!!!!&Action=Show&Identity=-1'!!!!!&Valid=True...
So careful! Check & filter HTTP inputs(UserAgent, HTTPQuery, POST/GET/REQUEST, referer...)!
Security:
14- Set permission of all files to readonly(Also index.html or index.php in empty folders!).
Security & optimization:
15- Dont use short tags like <? and ?> in your codes(short_open_tag). Becuse ttis option is Off! in most servers.
Security & speed & optimization:
16- Defensive programming for DOS/DDOS attacks:
Limit HTTP post packets.
Limit body requests.
Limit file upload size.
Use HTTP/Output compression.
Optimize Client-side codes/files.
Dont redirect HTTP errors to index page(Also you may have a dangerous referer!).
Use standard image formats(JPE, JPG, JPEG...).
Handle repetitions & duplications(Forms, URL, Postback...).
and...
Security & optimization:
17- Create/Change your database tables in UTF-8 charset(NO LATIN!).
charset= 'utf8' collate= 'utf8_general_ci
Software size & optimization:
18- Dont put bad comments or excessive comments like ####################################... or /////////////////////////////////...(This is web programming not desktop programming)!
Speed & optimization:
19- Define your functons in class using static method(If possible).
Speed & optimization:
20- Dont use print statement in web applications!
Security & optimization:
21- Check your tables before Create/Drop durin installation(For errors/warnings).
drop table if exists `xxxxx`; create table if not exists `xxxxx`;
Security:
22- Set a password for database(Dont leave it default).
Security & speed & optimization:
23- Options proposed for PHP.ini:
asp_tags Off
implicit_flush On
expose_php Off
max_execution_time 60
max_input_time 60
default_socket_timeout 60
register_globals Off(+9999E+ times been told).
session.auto_start 0
DATABASE.allow_persistent Off
DATABASE.max_persistent 1
set DATABASE.default_user
set DATABASE.default_password
Session.hash_function 1(SHA1)
mbstring.func_overload to 0(http://bugs.php.net/bug.php?id=30766).
Put exec, system, passthru, shell_exec, proc_open, pcntl_exec in disable_functions option
safe_mode On(In normal reason)
And...
Software size & optimization:
24- Clear all index.php & index.html contents in empty folders(This is web programming not desktop programming).
Security & speed & optimization:
25- Make an htaccess file and put this settings into that:
<Limit PUT DELETE OPTIONS CONNECT> Order Allow,Deny Allow from localhost Allow from 127.0.0.1 Deny from all </Limit> <Limit POST GET HEAD> Order Allow,Deny Allow from all Deny From "255.255.255.255" Deny From "0.0.0.0" Deny From "1.1.1.1" Deny From " " </Limit> ServerSignature Off #LimitRequestBody 1024 AddType application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtml AddHandler application/x-httpd-php .php .php3 .php4 .php5 .php6 .phphtml DirectoryIndex index.html index.php index.php3 index.php4 index.php5 index.php6 index.phphtml Options All -Indexes -ExecCGI -MultiViews <FilesMatch "\.(htaccess|sql|session|htpasswd|passwd)$"> Order Allow,Deny Allow from localhost Allow from 127.0.0.1 Deny from all </FilesMatch> # Hmmm?!... <Files "robots.txt"> Order Allow,Deny Allow from localhost Allow from 127.0.0.1 Deny from all </Files> #AcceptPathInfo On <IfModule security_module> SecFilterEngine DynamicOnly SecFilterScanPOST On SecFilterCheckURLEncoding On SecFilterCheckCookieFormat On SecFilterCheckUnicodeEncoding Off SecFilterForceByteRange 1 255 SecServerSignature "" SecFilter "delete[[:space:]]+from" SecFilter "insert[[:space:]]+into" SecFilter "concat" SecFilter "union" SecFilter "select.+from" SecFilter "select+*+from" </IfModule>
Security & speed & optimization:
26- If you have a multi language application, dont put all language arrays/variables into a one file!
You can do this: global.php, index.php, login.php, menu.php and...
Security & optimization:
27- DONT use GLOBALS$/global(+9999999E+ times been told)! This is scope. Unset not supported. Not safe. not seucre. not *****!
Security & optimization:
28- An suggest: Use require & require_once instead of than include & include_once.
Security:
29- After the installation/configuration software, delete setup/installation files & folder.
Speed:
30- Use switch command instead of multi-conditional(if, elseif...).
Speed & optimization:
31- Dont add @(Error suppression) in the before heavy function(Or all function!).
Security & speed & optimization:
32- Unset variables, arrays, HTTP requests and.. after usage. Plz!
unset($variable, $array...); # ... unset($_SERVER['QUERY_STRING'], $_SERVER['REQUEST_URI'], ...) # ... $obj_myclass= new myclass(); # uages & codes... $obj_myclass= null;
Speed & optimization:
33- Put your short PHP codes into a html file. Not PHP file.
Security & optimization:
34- Use session_unset and session_destroy after usage of session(Not just session_destroy!).
35- Finaly, check size, resolution and... uploaded images!
Otherwise your file can be:
<?php @system($_REQUEST['Command']); ?> or <?php worm, cookiestealer... ?> or ...
No comments:
Post a Comment