Re: PHP Security

["H. Morrow Long" <morrow.long () YALE EDU>]

On Nov 23, 2005, at 12:17 AM, Tim Lane wrote:
> just wondering if anyone is aware of recommended guides for PHP  
> security, or good free PHP vulnerability scanners?


From Google;

  PHP Security Consortium
  Founded in January 2005, the PHP Security Consortium (PHPSC) is an  
international group of PHP ... PHP Security Consortium work is  
organized into projects. ...
  phpsec.org/ - 7k - Cached - Similar pages

    PHP Security Consortium: PHP Security Guide
    PHP Security Guide. Table of Contents ... 6. About · 6.1 About  
This Guide · 6.2 About the PHP Security Consortium · 6.3 More  
Information ...
    phpsec.org/projects/guide/ - 5k - Cached - Similar pages
    [ More results from phpsec.org ]

Books from Amazon;

  Essential PHP Security by Chris Shiflett (Paperback)
  Books: See all 4 items (Rate this item)
  Buy new: $19.77    Used & new from $18.94    Usually ships in 24  
hours
        
  Pro PHP Security (Pro) by Chris Snyder, Michael Southwell (Paperback)
  Books: See all 4 items (Rate this item)
  Buy new: $29.69    Used & new from $19.88    Usually ships in 24  
hours
  Sponsored Links: What's this?
        
  php|architect's Guide to PHP Security| by Ilia Alshanetsky, Rasmus  
Lerdorf (Contributor) (Paperback)
  Books: See all 4 items (Rate this item)
  Buy new: $21.77    Used & new from $21.55    Usually ships in 24  
hours
        
PHP Security & Cracking Puzzles by Maxim Kuznetsov (Paperback)
Books: See all 4 items (Rate this item)
Buy new: $26.37   Not yet released.

I also found several web and web apps vulnerability testing tools  
which claim to
test PHP scripts but they are not free and I don't have any  
experience with them.
See below.  These claim to be able to check previously unknown and  
custom-
written PHP scripts.  Apparently hiding the source to your PHP  
scripts is also
desirable and a product niche.

Some of the general network vulnerability test tools (nessus, ISS,  
Retina, etc.) as
well as some open source specific web vulnerability test tools  
(Whisker, Nikto)
may also test PHP -- e.g.for the prescence of the well known  
vulnerable scripts
but unlikely to look for and test new unknown/custom PHP scripts.

Protect your PHP Scripts -- IP/MAC lock, time limit & more with  
advanced encoder tools from ionCube -- www.ioncube.com
        
How to Secure Web Apps -- Automated vulnerability testing: SQL  
injects, XSS, buffer overflows -- cenzic.com/whitepapers

PHP security scanner
Check your PHP scripts for
vulnerabilities with Acunetix WVS.
www.acunetix.com/wvs/

Bytecode PHP Encoder
Bytecode encoder with encryption
to protect your PHP source code
www.phpshield.com

Compiled PHP Encoding
Protection for your PHP scripts
Protect. Encrypt. Secure
sourceguardian.com

PHP Security Consulting
We fix PHP security problems.
Fast!
www.maysecltd.com