This post originated from an RSS feed registered with PHP Buzz by Chris Shiflett. Original Post: My Top Two PHP Security Practices Feed Title: Chris Shiflett's Blog Feed URL: http://www.feedburner.com/fb/static/error.html Feed Description: Author, Consultant, Programmer, Speaker, Trainer Latest PHP Buzz Posts Latest PHP Buzz Posts by Chris Shiflett Latest Posts From Chris Shiflett's Blog

Security is not a simple topic, but I think there is a great deal of value to be had in simplistic summaries of secure programming practices. Like an organization's mission statement, they provide a broad perspective that helps to keep you on track while you focus on the details. It is with this in mind that I have decided to promote my Top Two PHP Security Practices, expressed in eight words:

• Filter data on input
• Escape data on output

These are practices that I've been promoting for years, but this is the first time that I've reduced them to such a simplistic list.

I believe that a failure to properly abide by these two practices accounts for a vast majority of all PHP application vulnerabilities. In fact, I am offering a challenge. I believe that at least four of the next five vulnerabilities announced on php|architect's PHP security mailing list will be due to a failure to properly abide by one (or both) of these practices. If I am wrong, I will donate one hundred dollars to the Open Web Application Security Project.