PHP Security Basics
(email comments to jsnell -at- e-normous.com, thanks go to stormtide for contributing)
1) if you can keep the user from submitting bs data, more internal security considerations often become muteable
2) if its opensource, make it rock solid
3) validate userland
4) initialize all variables
5) make sure to secure hidden vars, don't assume something is safe or valid because it's not in the URL or entered by a user
6) use a query analyzer on all queries
7) hash sesssion ids
8) hash database ids to prevent people from altering them
9) dont use ARRAYS IN FORMS, such as name="asdf"
10) encrypting your database will most likely not improve security
11) lock down your datbase.
12) disable your database's networking. directly connect your database and web server via a dedicated nic if you can. use a firewall with a global block rule and explicit allow rulesets if you must.
13) do not allow database connections to over a public network at any time.
14) use postgresql's ssl layer for even local network database traffic if you can
15) if you're writing a cart, be sure to make sure you store all cart data server side. dont store crap about prices etc in any userland area.
16) limit the data which is sent to userland, such as through a browser or cookie
17) limit the impact of altering such data
18) dont mix secure and insecure services on the same box, if a port is accesible to the internet dont place services that shouldnt be on it
19) ensure data is valid if you're going to use it in a shellcmd via system(), exec(), etc.
20) make sure if you are using userland variables to load pages that they can't include files from a parent directory, i.e. page=../../../../etc/passwd
21) keep php/apache/mysql/postgres/sshd/libssl up to date
22) dont try to re-implement register globals with extract
23) check mime types of uploaded files, and set max file sizes and max execution time when dealing with file uploads