PHP Security for Developers

=Frontispiece= =Authentication= =Authorization= =Session Management= =Data validation= =Interpreter Injection= =Canoncalization, locale and Unicode= =Error Handling, Auditing and Logging= =File system= =Distributed Computing= =Administrative Interfaces= =Cryptography= =Configuration= =GNU Free Documentation License= =Reference=
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Forms based authentication
 * 6) Strong Authentication
 * 7) Federated Authentication
 * 8) Positive Authentication
 * 9) Multiple Key Lookups
 * 10) Referer Checks
 * 11) Browser remembers passwords
 * 12) Default accounts
 * 13) Choice of usernames
 * 14) Change passwords
 * 15) Weak password controls
 * 16) Reversible password encryption
 * 17) Automated password resets
 * 18) Brute Force
 * 19) Remember Me
 * 20) Idle Timeouts
 * 21) Logout
 * 22) Account Expiry
 * 23) Self registration
 * 24) CAPTCHA
 * 25) Further Reading
 * 1) Objectives
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Best Practices in Action
 * 6) Principle of least privilege
 * 7) Centralized authorization routines
 * 8) Authorization matrix
 * 9) Controlling access to protected resources
 * 10) Protecting access to static resources
 * 11) Reauthorization for high value activities or after idle out
 * 12) Time based authorization
 * 13) Be cautious of custom authorization controls
 * 14) Never implement client-side authorization tokens
 * 15) Further Reading
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Best practices
 * 6) Exposed Session Variables
 * 7) Page and Form Tokens
 * 8) Weak Session Cryptographic Algorithms
 * 9) Session Token Entropy
 * 10) Session Time-out
 * 11) Regeneration of Session Tokens
 * 12) Session Forging/Brute-Forcing Detection and/or Lockout
 * 13) Session Token Capture and Session Hijacking
 * 14) Session Tokens on Logout
 * 15) Session Validation Attacks
 * 16) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Definitions
 * 6) Where to include integrity checks
 * 7) Where to include validation
 * 8) Where to include business rule validation
 * 9) Data Validation Strategies
 * 10) Prevent parameter tampering
 * 11) Hidden fields
 * 12) ASP.NET Viewstate
 * 13) URL encoding
 * 14) HTML encoding
 * 15) Encoded strings
 * 16) Data Validation and Interpreter Injection
 * 17) Delimiter and special characters
 * 18) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) User Agent Injection
 * 5) HTTP Response Splitting
 * 6) SQL Injection
 * 7) ORM Injection
 * 8) LDAP Injection
 * 9) XML Injection
 * 10) Code Injection
 * 11) Further Reading
 * 12) SQL-injection
 * 13) Code Injection
 * 14) Command injection
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Unicode
 * 6) http://www.ietf.org/rfc/rfc#
 * 7) Input Formats
 * 8) Locale assertion
 * 9) Double (or n-) encoding
 * 10) 	HTTP Request Smuggling
 * 11) 	Further Reading
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Best practices
 * 6) Error Handling
 * 7) Detailed error messages
 * 8) Logging
 * 9) Noise
 * 10) Cover Tracks
 * 11) False Alarms
 * 12) Destruction
 * 13) Audit Trails
 * 14) Further Reading
 * 15) Error Handling and Logging
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Best Practices
 * 6) Defacement
 * 7) Path traversal
 * 8) Insecure permissions
 * 9) Insecure Indexing
 * 10) Unmapped files
 * 11) Temporary files
 * PHP
 * 1) Includes and Remote files
 * 2) File upload
 * Old, unreferenced files
 * 1) Second Order Injection
 * 2) Further Reading
 * 3) File System
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Race conditions
 * 6) Distributed synchronization
 * 7) Further Reading
 * 1) Objective
 * 2) Environments Affected
 * 3) Relevant COBIT Topics
 * 4) Best practices
 * 5) Administrators are not users
 * 6) Authentication for high value systems
 * 7) Further Reading
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Description
 * 5) Cryptographic Functions
 * 6) Cryptographic Algorithms
 * 7) Algorithm Selection
 * 8) Key Storage
 * 9) Insecure transmission of secrets
 * 10) Reversible Authentication Tokens
 * 11) Safe UUID generation
 * 12) Summary
 * 13) Further Reading
 * 14) Cryptography
 * 1) Objective
 * 2) Platforms Affected
 * 3) Relevant COBIT Topics
 * 4) Best Practices
 * 5) Default passwords
 * 6) Secure connection strings
 * 7) Secure network transmission
 * 8) Encrypted data
 * 9) PHP Configuration
 * 10) Global variables
 * 11) register_globals
 * 12) Database security
 * 13) Further Reading
 * 14) No backup or old files
 * 15) Unnecessary features are off by default
 * 16) Setup log files are clean
 * 17) No default accounts
 * 18) Easter eggs
 * 19) Further Reading
 * 1) PREAMBLE
 * 2) APPLICABILITY AND DEFINITIONS
 * 3) VERBATIM COPYING
 * 4) COPYING IN QUANTITY
 * 5) MODIFICATIONS
 * 6) COMBINING DOCUMENTS
 * 7) COLLECTIONS OF DOCUMENTS
 * 8) AGGREGATION WITH INDEPENDENT WORKS
 * 9) TRANSLATION
 * 10) TERMINATION
 * 11) FUTURE REVISIONS OF THIS LICENSE