I am looking for the definitive volume on PHP Mysql security.

I read a couple books on the subject and I find they have differing approaches to protecting against sql injection, XSS, session hijacking and remote execution.

Can anyone point me to a guide or book that is recommend by security professionals?

read them all, then think and use your brain for other ideas that could lead to break ins, then fix and monitor, and dont forget the backups

I agree with W1zzard... If you are serious about security, read as much as you can, and do the examples. The best way is to get your hands dirty and break stuff. Also http://www.hackthissite.org/ (http://www.hackthissite.org/pages/index/index.php) is a good source of learning some web hacking methods, so you can prevent those exploits.

Thanks W1zzard, desnudopenguino.

I was considering creating my own functions for handling input, I have now decided to do so. My skills in php are still very fresh I have a lot to learn. I learned to code in 'C' procedurally many years ago and never really coded much since. I am barely getting a grip on OO programming in php at this moment, although I can see how a group of functions would work together better as a class, I haven't got my head around the details yet.

I am a member of hack this site, I finished all the basic missions and planned to do them all again to fully understand what was going on. I just forgot about it as work demands tore me from that which is interesting to that which is mundane. I will repeat the basic and continue with the other challenges at hackthissite.

Thanks again

Cool! Most of the problems from your original post are easily handled by settings and/or modules you can install for apache (if that is what you are using) along with PHP. You may want to look into DoS attacks, root kits, and other vulnerabilities as well. Good luck and let me know if you want someone to try to break your stuff or check out your code.

If you only do one thing, make sure it's frequent remote backups.

Backing up data is only half the battle - You also need a bullet-proof restoration process so you're not sitting there for hours trying to restore your site.

At the end of the day, if someone wants to break your site they will find a way - The only way to recover from that is with a good backup strategy.

@yngndrw: Backups, yes I will be exporting the database from the host to my PC and another machine each day. Restoration is as simple as importing the sql file. The site is hosted by a provider and a backup solution is provided, though I see no problem in backing up to my systems as an added precaution.

I have just about finished the site now. The code is a mess, it is a real spaghetti code monster but it works. I will start on version two very soon which will be more OO than procedural (I think I can remove at least half the code and still achieve the same functionality). I spent an hour playing with sqlmap last night and didn't find any injectable requests.

@desnudopenguino: The site is to be hosted by a provider, so I don't have to worry about OS security with this one. I could do with someone more skilled in the techniques used to break into php/mysql driven websites than I to have a go at breaking/breaking into the site though. As far as the code goes, this is my first php web app and I would be embarrassed, even perhaps ashamed if it was gazed upon by a real programmer. Perhaps after I have re-written it, the code could be something I would be more proud of. I am fairly proud of the functionality and look, but in this case beauty really is only skin deep.

Ok. Well the only stuff you will have to worry about will be relatively light then... Preventing SQL injection is a biggy, and, if you have a login, make sure it does not have a simple session/cookie var that can easily be spoofed, and a few other things, but those are the biggest ones