gpg: Signature made Wed Jan 30 17:52:38 2013 UTC
gpg: using DSA key 2099B64CBF15490B
gpg: Good signature from "Andy Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andrew James Smith <andy@strugglers.net>" [unknown]
gpg: aka "Andy Smith (UKUUG) <andy.smith@ukuug.org>" [unknown]
gpg: aka "Andy Smith (BitFolk Ltd.) <andy@bitfolk.com>" [unknown]
gpg: aka "Andy Smith (Linux User Groups UK) <andy@lug.org.uk>" [unknown]
gpg: aka "Andy Smith (Cernio Technology Cooperative) <andy.smith@cernio.com>" [unknown]
Hi Michael,
On Wed, Jan 30, 2013 at 05:42:57PM +0000, Michael Stevens wrote:
> So I've decideed to join the cool kids and try PHP - in particular, I've
> installed roundcube.
Well, PHP was cool 5 years ago, now it's all ruby, node.js and
clojure. :)
> Is there any good info out there on securing php? I'd quite like to not
> get hacked, which seems to be a common problem with PHP web apps.
If "don't run PHP" doesn't work for you then my best advice is:
- Keep it up to date
- Run as few plugins, modules etc as possible and keep *those* up to date
- Expect to be compromised, so try to secure your PHP execution
environment from the rest of your server.
e.g. do assume that at some point an attacker will get to execute
commands as the user that is running your PHP app so try to reduce
what the app can do.
Good luck!
Cheers,
Andy
--
http://bitfolk.com/ -- No-nonsense VPS hosting
