Here are few concerns we should take into consideration when developing application using PHP.
Error reporting can be useful to help us avoiding very common security mistake that add vulnerabilities to PHP applications. On production website, display error will be set to Off and we as developer do not need to think of it. But we can use error reporting to see if we are making any common mistakes. Most common mistake from security point of view can be uninitialized variables. We should develop our application by setting error_reporting to E_ALL or E_ALL plus E_STRICT. Error display at development environment will not allow any variable uninitialized getting unnoticed.
ini_set('error_reporting', E_ALL | E_STRICT);
We should set this in common file included to every pages so that we can change its value easily. Additionally, we can use something like below to save all errors to a file, so that if accidentally we sent our file online then nothing wrong can happen.
<?php ini_set('error_reorting', E_ALL|E_STRICT); ini_set('display_errors', 'Off'); ini_set('log_errors', 'On'); ini_set('error_log', 'FullPathToLogFile/error_log.txt'); ?>
E_STRICT warns about any deprecated functions we are using. It help in interoperability and forward compatibility of our code.
ini_set('error_log', 'FullPathToLogFile/error_log.txt'); creates the file mentioned in directive if that file does not exist.
Defense in Depth:
Defense in Depth tells us that there is a use of multilayered security approach. If one layer fails then other layer can be useful. Redundant security measure is also supported in this concept. You may have seen this measure when you are asked to provide current password when you wish to change password or vital information on logged-in system. It can help in case a user has gained access to logged-in user system. In this case, the malicious user cannot changed vital info.
Linux system work on this least privilege concept. Sometimes this approach can be annoying to application users so we need to create a balance between usability and security.
Application developer should try to minimize exposure to sensitive data. Like we could show username and password at second page the user has created at first page. But we do not do that. If we are using secure connection at first page then at second page the very important data is again exposed. There is extra exposure and we avoid this. User are supposed to remember this important information. Displaying programming related error to user does not make sense to non-programmer user but give hackers an extra information. So, we should show customized error to user to help them in reporting.
Track Data all the time:
Track and identify incoming and outgoing data all the time. Simple mechanism to identify data came as input and data ready to go out of the system can help in auditing. When we use $_REQUEST, we does not care how data is coming - From POST or GET. So, better use $_POST and $_GET dependent on the way data is coming. Instead of directly accessing variable when register_global is on, accessing variable using POST and GET minimizing security risk even with register_global is on at the deployed environment.