1) What information needs to be secured? What is the most effective way of doing so? (Before you tell me to google it, I don't trust google sites to give me every thing I need to watch out for. Most of the time it tells me to make sure of this and that in the PHP.ini file, which I don't have access to.)

2) How would CHMOD be used with PHP scripts? Why would you need to CHMOD things to 777?

3) If I were making a PHP program, how would I encrypt the code if it wasn't open source?

4) What is a good book to learn all about MySQL and PHP, as well as PHP security?

5) Would it be better to make pages function like .../index.php / .../lookhere.php or something like .../index.html / index.html?page='lookhere'? How would I accomplish the second one? (I saw something on the matter a while ago, but I can't find it again, and it just said that it was possible.)

6) Date and time... This is just a note for myself to check it out tomorrow.

7) I am going to attempt to make a member system sometime soon, and I would need a lot of help on it. Would anyone mind giving me their contact info for MSN/AIM and helping me out when I need it? Posting every question on here would be too much, and searching for tutorials every second would take way too long, especially for small problems that I can't figure out.

8) What would be a safe place to store include files in? Is there a good CHMOD to make include files?

9) I like to keep all of my variables, functions, and everything like that in a separate include file, named php_ref.php, and include that in all of my pages... Is that good practice, or a bad habit? Is it totally up to me?

10) I have read a few things on this, but I was still wondering; can #9 cause my pages to load slower or open security risks?

11) Instead of regex, wouldn't htmlspecialchars() work better?


Thanks in advance for any help you can offer.

1. Perhaps the best way to secure stuff is to make sure everything stays where it should (filter ANY user input, make sure only the needed directories/files are 777, and such). Also, always include your files using the absolute path, rather than relative. Regarding the php.ini, some hosts give you the possibility of overwriting settings in the server config by putting your own php.ini file with custom config values into the root of your website.

2. Let's say you have a CMS. From the admin, you can add pictures to pages. First you need to upload the pictures. So, you need to chmod the directory in which you'd like to upload the files to 777 (read+write+execute for everybody - owner, group, world). Otherwise, uploading would fail. Another case: you need to programatically change a file from your webroot (let's say a config file). If the file wouldn't be chmoded to 777, you wouldn't be able to write to it.
NOTE: 777 might not be the wisest way to gain write access to certain files, but I couldn't write to disk or to an existent file when they were 666 for example.

3. Zend Guard or such.

4. PHP Consortium for security, and PHP 5 Objects, Patterns and Practice by Matt Zandstra sounds interesting, and it's well rated, but I couldn't find it. You could also try PHP 5 Unleashed by John Coggeshall.

5. Apache's mod rewrite extension lets you do that easily. You can learn how to do it from here: mod rewrite forums

7. can't help you there, sorry

8. Perhaps the safest way would be to keep your includes somewhere outside the web root. chmod is not needed, but to respond to your question, 644 is enough for a read-only file (read+write for owner & read for everybody else). The files are automatically chmodded to 644 when created (on *nix systems, on windows they might be 666).

9. I don't think that is a bad practice, it's a practical way, I'd say. I've seen alot of beginner programmers who don't use functions at all (all of their code is linear and extremely hard to read / or the other category, which scatters all of the functions through the linear code). What ever fits you, but always think of the easiest and most portable way and the possible other web devs which have to deal with your code later.

10. Generally, no. The including is done server-side, so the file included is not like downloaded every time, and it's not included in the output. Slowing your pages could be possible if the included functions generate an enormous output. Security risks? Yes. If you name your functions file php_ref.php.inc (or simply php_ref.inc), and the .inc extension is not marked as 'php parseable' - in httpd.conf, that is, anyone who knows the path to your file could actually see it in the browser. So always use .php as the file extension for PHP scripts when creating a system. But this is not all. Input filtering (not done correctly or not done at all), chmodding to 777 and other problems are possible ways of breaking your system. Check phpsec.org and read there what you should and what you shouldn't do.

Wish ya the best of luck and happy studying :)

__________________

Your post helped a lot, but what about number 11? :3

I didn't see #11. What do you mean by regex? regex is an abbreviation for "regular expressions". How would you achieve e-mail address validation using htmlspecialchars, for instance? I don't really see the connection there...

A regular expression (regex or regexp for short) is a special text string for describing a search pattern. (regular-expressions.info).

htmlspecialchars — Convert special characters to HTML entities (php.net)

__________________

++ for PHP 5 Objects, Patterns and Practice by Matt Zandstra. I'm reading it now and it's very interesting.

That was referring to making text-fields safe.

Perhaps as a basic filter, htmlspecialchars would work nice. But if you need to be really sure you get the right input, you have to filter the input well.

__________________

Point #7: Do not bite off more than you can chew. Simply as that.

Xenon told you just now to use htmlspecialchars. Filtering on the text-area can also be done with Javascript/AJAX. But I don't recon you've come quite that far. No offense.

Other methods for filtering and inserting are sprintf/printf, addslashes, strip_tags and ofcourse mysql_(real_)escape_string.

__________________

"Life is a bitch, take that bitch on a ride"

I kinda need to get #7 done, though...


New question: What are the default directories for all this stuff? I am looking into uploading, and I have no clue where the default directory is and how to move it from there... When I move a file that has been uploaded, does the path start from the directory where the file that is moving the file is, or does it start at the PHP installation?

If you mean the root path of the server, it depend on what serverware you have, or perhaps if it's running a virtual server.

I know form experience that Direct Admin uses;
/domains/yourdoman.yourextention/public_html/index.php

and Ensym;
/var/www/httpsdocs/index.php

and of course, local host;
localhost/index.php (or localhost/yourmap/index.php)

And if you are talking about the PHP program's structure, that kinda depends on the sort of system you are making. I generally use at least /includes, /modules and of course /includes/classes

__________________

"Life is a bitch, take that bitch on a ride"

That wasn't what I was talking about...
A HTML page uses itself as a reference point. so if the HTML file is in the directory taco, and a stylesheet is in the directory taco/link, then you would reference to the stylesheet as link/stylesheet. Is that the same principle in PHP?

The simple answer is, yes.

Dude, I've explained this to you already. The problem is simple:
- you need advanced validation which no one can pass? go with regular expressions then (after cleaning the input of malicious code);
- you don't need validation, and you wish to take any input? then use htmlspecialchars and you'll probably end up with garbage instead of a hack.

As I've said before, it only prevents bad things to happen in most cases, but doesn't provide you with validation techniques or such.

__________________