Hi there, I offer to create a full security checklist to check (or create test benches) after the creation of the projects. I begin with the very simple ones, hope you add more: 1. SQL Injection Be sure that inputs don't cause SQL-injection. Catch special characters (or character groups) which can are meaningful in SQL. Change them with their HTML entities. 2. Have precautions for Flood Robots or bots may try submitting 1 billion new users to your forum, or they may call your pages so frequently that your other users can't open your pages. Have a control for flood. You can do it in either system side or code side. 3. Don't use root as the most privileged user This can be argued but for me it's a mistake. When your user name is "root", there's 1 unknown, when it's x, there's 2 unknowns, which makes the security probability p*p.
To add to this, don't forget that % and _ are both special characters in SQL. It is, however, much safer (harder to make mistakes) to limit input to the characters you want (e.g. [a-zA-Z0-9]) than to hope that you have a complete list of all SQL special characters. IPTables can limit the number of connections an IP address can make in a given time limit and will simply drop packets until the IP address is below the limit again. You can also limit IP addresses by bandwidth in a given time limit. I'm sure other firewalls will have similar capabilities. Filtering such as this should be done as early as possible in the path through your system as that is where it has already had the least impact on the other users of your system. I don't have a problem with calling your super user "root" but there is no harm in changing it. You should, however, definitely not allow this user to log in over the network. If the root user can log in over the network then an attacker brute forcing his way in already knows one username (and it's the most powerful user to boot) Strangely enough, this post is almost not about PHP at all, but security involves the entire system so we shouldn't just focus on PHP anyway. Thanks for the tips.
Sorry for bumping this thread, but I thought this PHP security checklist has a lot more good points in securing your code and applications. To sum up, 2 measures can be used to prevent 90% of the attacks happening on your website: 1) don't trust and filter anything the users provide as input, 2) escape the output leaving only the literal part.