|
December 10, 2012, 12:55:13 PM Last edit: December 10, 2012, 01:34:19 PM by Insu Dra |
|
Good read, there are some things I would do slightly different ...
#1: Know Your Enemy,
2. SQL injection: "mysql_real_escape_string()" is just a fast fix you can use to patch up old/badly written php application. For custom apps people should be using "mysqli::prepare" or "PDO::prepare".
3. File uploads: Validation and file system restrictions is insufficient. File uploads should always be handled by a separate server (like he sais in #25 Run Service Per System or VM Instance). If that is not a option for you then store your files as binary data in a database.
#11: Install Suhosin Advanced Protection System for PHP Follow those instructions and you end up with build tools on your server, that is a big "no no" by it self. If you want to use it build it on a desktop and package it up for your specific distro, There is no reason at all to have build tools on a production server.
Edit: read comment, it's in there as well ...
|