Some security tips for php
If your working with php, here are some of the main things i´ve learned that you/your host should do to avoid getting site hacked.
In your php.ini file set the following configuration variables.
register_globals = Off
As it says in the .ini file:
; You should do your best to write your scripts so that they do not require
; register_globals to be on; Using form variables as globals can easily lead
; to possible security problems, if the code is not very well thought of.
Most scripts will work with register_globals = Off.
Or you can use this script and just include it in your scripts.
Example: Copy and save it as loadenv.php, then at the beginning of your script put:
include "loadenv.php";
Two other important configuration variables that should be turned off:
allow_url_fopen = Off
allow_url_include = Off
These are important. Suppose you have an index page that uses an url variable to include a page like http://www.blabla.com/index.php?pageID=main
Then in index.php you have something like
if($pageID) {
include "$pageID" . ".php";
// which should actually be something like
// include "/home/to/my/web/" . $pageID . ".php";
}
then the hacker does something like:
Do you see where im going with this?
You can check what values are set in your config file by calling this php function in a .php page.
<? phpinfo(); ?>