PHP and security

[BertVK]

I've been listening to Pauldotcom.com security weekly lately and those guys are very, very negative about the security in PHP projects. What is not clear to me is whether it's PHP itself that is insecure or if it's the possibility of getting away with sloppy code that is the cause.

I am planning to start an open source project that I would like to be web based. I would like to use PHP because it's supported by almost all hosting providers. The alternative would be Python using the Django lib.

What is your opinion on security in regard of PHP(projects)?

[dann]

There have been some inherent security issues with PHP in the past, but most of those have been addressed to the level that they could be. Pretty much the problems these days result form sloppy/lazy coding.

[BertVK]

Hey, thanks Mr PH Guru,

Is there any protocols you live by to make your PHP projects secure?
IYO Are there specific libraries to avoid?

[eddie]

Roadsend has a php compiler that might help hide code. I have not installed it yet though. I am try to get up to speed on php and mysql before I try anything fancy.

[CptnObvious999]

Django has some nice SQL Injection prevention functions. You can visit http://en.wikibooks.org/wiki/PHP_Progra ... _Injection for some information on how to prevent this in PHP.

Base rule in PHP is NEVER trust anything that comes from $_POST or $_GET or $_COOKIE. Even if you have some information in a dropdown, it doesn't mean the only thing that can be returned on the next page is what you put in there. If you always validate data before you parse it you should be alright.

P.S. Stay away from eval

[eddie]

Thanx for the input. I am learning the new mysql and that will be a great help.