Top 10 PHP Mistakes Beginning Developers Make
Posted by Blerz on
February 5, 2009
From the NetTuts site, comes a list of the top 10 common PHP errors that beginning developers make. I’ve found myself making these many times, though as time goes on, finding and fixing these errors becomes more of a second nature. I do keep a checklist (I will post it soon) of PHP security and usability issues that I go through before I release code into the wild. Read the article, and pay close attention to the security issues mentioned – these are the errors that will get you turned off by your shared hosting, or cause your website or web application to become unusable or broken.
Some highlights from the original NetTuts article:
7. Not Protecting Your Session IDs:
A very common PHP security mistake is not protecting session ID’s with at least some sort of encryption. Not protecting these Session ID’s is almost as bad as giving away a user’s passwords. A hacker could swoop in and steal a session ID, potentially giving him sensitive information. MT Soft an example of how to protect Session ID’s with sha1:
view plaincopy to clipboardprint?1. if ($_SESSION['sha1password'] == sha1($userpass)) { // do sensitive things here
2.
3. }if ($_SESSION['sha1password'] == sha1($userpass)) { // do sensitive things here
}
Adding the shai1 to the ($userpass) gives an added bit of security to the session. Sha1 isn’t a bulletproof method, but it’s a nice barrier of security to keep malicious users at bay.