only quoting all user input is not enough
Direct call of included file
Quick solutions: There are many solutions.
I prefer this: put the code in the included file in a function and call it from the main file.
Output of unchecked user input, XSS (Cross-Site-Scripting)
Quick solutions: Use htmlentities() on all user input before output of user vars (except if the output goes into a textarea)
The name of an included file does not end with .php
Quick solutions: Always give your included files a name which ends with .php
Unchecked extension on an uploaded file
Quick solutions: Never let users upload any files. Make sure that they can only upload files with extensions they need.
Access Rights
Quick solutions: Access rights for
- directories: 710 (or 711 if needed)
- upload directories: 770 (or 777 if needed)
- files: 640 (or 644 if needed)
- user manegable files: 660 (or 666 if needed)
Always set the rights as restricive as possible
Login data (username and password) is saved in cookies
Quick solutions: Never save username and password in a cookie.
Always use a session id in the cookie and store username and password as a session variable.
Error messages reveal starting point for an attack
Quick solutions: Set error_reporting(0) or provide your own error handler.
A misconfigured server gives away information about your project’s file organization
Quick solutions: Put a dummy index.html and index.php in every directory
Login form uses GET method
Quick solutions: Always submit a username and password with the POST method.
The file name for a file is constructed from user input and executed (Remote File Inclusion)
Quick solution: Only include predefined files