One thing you should definitely do is make sure that you errors are logged and not output to the browser. This is to ensure that specifics aren't given out to the public. To do this, you should disable

displayed_errors

and

display_startup_errors

in your php.ini file.

Next, you should set

log_errors

to 1 (true) and set the location of you error log with

error_log

. You won't have to change your

error_reporting

unless it is set too low or too high than what you want. Personally, I like to keep my error reporting at E_ALL, but it's up to you. Make sure, though, that your error log cannot be accessed by the public, so put it below the web root directory.

Along the same lines as error reporting, many people when they use mysql in their application, use something such as

die(mysql_error())

after a certain function call. A more detailed example is something like this:

$result = mysql_query($query) or die(mysql_error());

Make sure that if your script does have something that looks like this, that you log those errors that mysql produces instead of echoing them to the screen. This, again, will output specifics about your database structure out to the public upon an error which is something you don't want to do.

Aside from these error reporting/logging issues, you should make sure that your scripts properly protect from various security problems such as sql injection, email header injection, etc... Make sure if you allow file uploads that someone cannot upload a file that could then be executed on your server. This list could go on forever, but make sure you check the scripts that have the largest potential for a security hole.

Depending on how you are using your server, you could also disable functions using the

disable_functions

or

disable_classes

directives that would limit what can be used on your server. Functions such as exec(), and all similar functions, aren't really used that often, and if they aren't, there's no need to keep those functions enabled, although if everything else is secure, this won't really matter.

>> so that people cannot see my code
Just make sure you have

.php

at the end of your filenames and should be fine. :) You are not limited to .php, however, you want the extension to be something that is parsed correctly by php. A filename like this

db.php.inc

is not a good idea unless you are parsing .inc files as php. This should always have .php (or equivalent) at the end of the filename.

Well, I hope this gets your started. There's also very good information about security at php.net: [us2.php.net...]

Good luck! :)

Thanks for the great suggestions!

One question: I do use mysql_error, so how do I make PHP report those into error_log, but not echo on to the screen?

</g>

I guess there a few ways you could handle that; I like to use error_log [php.net]. This will allow you to send information specific to that query/function, as well as the mysql_error() info, to the error log without compromising the security of your database.

Another option would be to use trigger_error() [php.net] and set the level of the error from the

E_USER

family of constants. This way your source code remains the same and your server setup defines how your error is going to be handled. If you use

error_log

and you are running on your test/development machine, your logs are going to fill up quicker when you really don't need them too as you likely have your development box setup to display errors in the browser.