SoftwareSecurity2012/php

PHP

This wiki page collects some info about PHP

• php.net seems a good source of info, eg with a PHP manual which includes a chapter on security, a section on session handling, etc

• MITRE has info on (CWE 661) Weaknesses in Software Written in PHP

• OWASP has a PHP project, which provides some info. OWASP also has a PHP Top 5

• The WACT project provides a lot of (pointers to) PHP-slanted security info

• PHP and the OWASP Top Ten Security Vulnerabilities

• The PHP security consortium (phpsec.org) has produced the PHP Security Guide and collects some pointers to other PHP security info;The website of the PHP security consortium hasn't been updated since 2006, so the initiative apparently died

• http://talks.php.net/ collects some slides of talks on various PHP issues, incl. security issues

• The book "19 Deadly Sins of Software Security" includes PHP-specific info on preventing SQL injection, XSS, Magic URLS and hidden form fields, and information leakage. The book is in the Nijmegen library under 8041HO and there is a copy in the "studielandschap" which cannot be lent out, so should always be there to have a read.
• Articles about PHP security by Chris Shiflett from PHP Magazine and php|architect, on topics such as SQL injection, XSS, sessions, etc.

• XSS Cheat Sheet, not only for php but a general "cheat sheet" with vectors that successfully evaded common and uncommon XSS-protection mechanisms.