SecurityGuidelines

Security Guidelines for PHProjekt

if (!defined('lib_included')) die('Please use index.php!');

.. if it is not called directly, and with ...

define(PATH_PRE, '../'); include_once(PATH_PRE.'lib/lib.inc.php');

... if it is called directly.

Variables from the outside
- don't use the globals scope, use $_POST and $_GET
Variables inside functions
- use parameters, don't import variables using globals
Variable output
- if a variable is a number, cast it: echo "value is ".( (int) $_GET['value']);
- if a variable is a string and can contain html that should not be displayed use htmlentities() with the correct quote style and the current charset (see http://php.net/htmlentities)
- if a variable is a string and can contain HTML that should be displayed, clean it using the xss function: xss($_GET['myvar']);
- if a variable is a string and should not contain html, use strip_tags
- if a variable is used in a url, escape it using urlencode()
- if a variable is used as a input value, use htmlspecialchars ()
- if a variable is used inside javascript strings, use addslashes()

Variables in sql statements
- if the variable is used as a sql column, clean it using qss()
- every variable from the outside is automatically slashed when imported, they don' need to be escaped
- every variable that is not from the outside should be escaped
- if the variable is a number, cast it before using it in sql