Developers should learn the basics of Meta Tags : Scott Clark

Contributed on Webdeveloper.com

With all the new HTML tags that are coming out, it’s easy to overlook some of the greatest tools in our arsenal of HTML tricks. There are still a few HTML goodies lying around that’ll help you keep your pages more up to date, make them easier to find, and even stop them from becoming framed. What’s more, some of these tags have been with us since the first Web browsers were released.

META tags can be very useful for Web developers. They can be used to identify the creator of the page, what HTML specs the page follows, the keywords and description of the page, and the refresh parameter (which can be used to cause the page to reload itself, or to load another page). And these are just a few of the common uses!

First, there are two types of META tags: HTTP-EQUIV and META tags with a NAME attribute.

HTTP-EQUIV
META HTTP-EQUIV tags are the equivalent of HTTP headers. To understand what headers are, you need to know a little about what actually goes on when you use your Web browser to request a document from a Web server. When you click on a link for a page, the Web server receives your browser’s request via HTTP. Once the Web server has made sure that the page you’ve requested is indeed there, it generates an HTTP response. The initial data in that response is called the "HTTP header block." The header tells the Web browser information which may be useful for displaying this particular document

Back to META tags. Just like normal headers, META HTTP-EQUIV tags usually control or direct the actions of Web browsers, and are used to further refine the information which is provided by the actual headers. HTTP-EQUIV tags are designed to affect the Web browser in the same manner as normal headers. Certain Web servers may translate META HTTP-EQUIV tags into actual HTTP headers automatically so that the user’s Web browser would simply see them as normal headers. Some Web servers, such as Apache and CERN httpd, use a separate text file which contains meta-data. A few Web server-generated headers, such as "Date," may not be overwritten by META tags, but most will work just fine with a standard Web server.

NAME
META tags with a NAME attribute are used for META types which do not correspond to normal HTTP headers. This is still a matter of disagreement among developers, as some search engine agents (worms and robots) interpret tags which contain the keyword attribute whether they are declared as "name" or "http-equiv," adding fuel to the fires of confusion

Using META Tags

On to more important issues, like how to actually implement META tags in your Web pages. If you’ve ever had readers tell you that they’re seeing an old version of your page when you know that you’ve updated it, you may want to make sure that their browser isn’t caching the Web pages. Using META tags, you can tell the browser not to cache files, and/or when to request a newer version of the page. In this article, we’ll cover some of the META tags, their uses, and how to implement them.

Expires
This tells the browser the date and time when the document will be considered "expired." If a user is using Netscape Navigator, a request for a document whose time has "expired" will initiate a new network request for the document. An illegal Expires date such as "0" is interpreted by the browser as "immediately." Dates must be in the RFC850 format, (GMT format):

Pragma
This is another way to control browser caching. To use this tag, the value must be "no-cache". When this is included in a document, it prevents Netscape Navigator from caching a page locally.

These two tags can be used as together as shown to keep your content current—but beware. Many users have reported that Microsoft’s Internet Explorer refuses the META tag instructions, and caches the files anyway. So far, nobody has been able to supply a fix to this "bug." As of the release of MSIE 4.01, this problem still existed.

Refresh
This tag specifies the time in seconds before the Web browser reloads the document automatically. Alternatively, it can specify a different URL for the browser to load.

Be sure to remember to place quotation marks around the entire CONTENT attribute’s value, or the page will not reload at all.

Set-Cookie
This is one method of setting a "cookie" in the user’s Web browser. If you use an expiration date, the cookie is considered permanent and will be saved to disk (until it expires), otherwise it will be considered valid only for the current session and will be erased upon closing the Web browser.

Window-target
This one specifies the "named window" of the current page, and can be used to prevent a page from appearing inside another framed page. Usually this means that the Web browser will force the page to go the top frameset.

PICS-Label
Although you may not have heard of PICS-Label (PICS stands for Platform for Internet Content Selection), you probably will soon. At the same time that the Communications Decency Act was struck down, the World Wide Web Consortium (W3C) was working to develop a standard for labeling online content (see www.w3.org/PICS/ ). This standard became the Platform for Internet Content Selection (PICS). The W3C’s standard left the actual creation of labels to the "labeling services." Anything which has a URL can be labeled, and labels can be assigned in two ways. First, a third party labeling service may rate the site, and the labels are stored at the actual labeling bureau which resides on the Web server of the labeling service. The second method involves the developer or Web site host contacting a rating service, filling out the proper forms, and using the HTML META tag information that the service provides on their pages. One such free service is the PICS-Label generator that Vancouver-Webpages provides. It is based on the Vancouver Webpages Canadian PICS ratings, version 1.0, and can be used as a guideline for creating your own PICS-Label META tag.

Although PICS-Label was designed as a ratings label, it also has other uses, including code signing, privacy, and intellectual property rights management. PICS uses what is called generic and specific labels. Generic labels apply to each document whose URL begins with a specific string of characters, while specific labels apply only to a given file.

Keyword and Description attributes
Chances are that if you manually code your Web pages, you’re aware of the "keyword" and "description" attributes. These allow the search engines to easily index your page using the keywords you specifically tell it, along with a description of the site that you yourself get to write. Couldn’t be simpler, right? You use the keywords attribute to tell the search engines which keywords to use, like this:

By the way, don’t think you can spike the keywords by using the same word repeated over and over, as most search engines have refined their spiders to ignore such spam. Using the META description attribute, you add your own description for your page:

Make sure that you use several of your keywords in your description. While you are at it, you may want to include the same description enclosed in comment tags, just for the spiders that do not look at META tags. To do that, just use the regular comment tags, like this:

!–// This page is about the meaning of life, the universe, mankind and plants. //–

More about search engines can be found in our special report.

ROBOTs in the mist
On the other hand, there are probably some of you who do not wish your pages to be indexed by the spiders at all. Worse yet, you may not have access to the robots.txt file. The robots META attribute was designed with this problem in mind.
meta NAME="robots" CONTENT="all | none | index | noindex | follow | nofollow">

The default for the robot attribute is "all". This would allow all of the files to be indexed. "None" would tell the spider not to index any files, and not to follow the hyperlinks on the page to other pages. "Index" indicates that this page may be indexed by the spider, while "follow" would mean that the spider is free to follow the links from this page to other pages. The inverse is also true, thus this META tag:

meta NAME="robots" CONTENT=" noindex">

would tell the spider not to index this page, but would allow it to follow subsidiary links and index those pages. "nofollow" would allow the page itself to be indexed, but the links could not be followed. As you can see, the robots attribute can be very useful for Web developers. For more information about the robot attribute, visit the W3C’s robot paper.

Placement of META tags
META tags should always be placed in the head of the HTML document between the actual tags, before the BODY tag. This is very important with framed pages, as a lot of developers tend to forget to include them on individual framed pages. Remember, if you only use META tags on the frameset pages, you’ll be missing a large number of potential hits.

Obscure META Tags

If you’re a normal person (I’m not, and I don’t know any, but I heard they do exist), then you’re wondering just what, exactly, is Dublin Core? No, it’s not an Irish porno movie, but rather, it’s a simple resource description record that has come to be known as the Dublin Core Metadata element set, or rather, Dublin Core.

Thanks to a considerate reader, we now know how it got its name. Dublin Core is the core set of metadata elements which were identified by a working group (comprised of experts drawn from the library and Internet communities) which met in Dublin, Ohio.

Dublin Core was designed with several issues in mind, namely to:

* enable search engines to filter by standard fields, i.e. date and author
* Browsers could have the ability to display metadata fields in a separate window
* enhance cross-collection, repurposing and integrating of content
* enhance site management, as old pages may be located more easily, etc.

Rating is basically the same thing as PICS-Label, and can be used for the same purpose, but PICS-Label is recommended over rating, as it is currently recognized by more software than rating, although it couldn’t hurt to use both.

Many of the obscure META tags are produced by HTML authoring software. Microsoft Word supports a number of META attributes in its HTML export option, and if you create a document with Internet Assistant, FrontPage, etc, you’ll notice that they automatically insert certain META tags, such as Generator, Content-Type, etc. into the Web page source. Other META tags are organization or search engine specific. The RDU Metadata search engine uses many such tags, including: contributor, custodian, east_bounding_coordinate, north_bounding_coordinate and others. Other obscurities are government META tags, useful only if you are within a government intranet or system.

But then
Statistics show that only about 21% of Web pages use keyword and description META tags. If you use them and your competitor doesn’t, that’s one in your favor. If your competitor is using them and you aren’t, you may now consider yourself armed with the knowledge. META tags are something that visitors to your Web site are usually not aware of, but ironically, a lot of times it was those same META tags which enabled them to find you in the first place. So for goodness’ sake, don’t tell anyone about this….let’s just keep this our own little secret (just kidding…make sure to send this URL to everyone you know!).

The Law
Before we leave the topic of META tags, keep in mind that there are several legal issues that surround the use of these tags on your Web site. Danny Goodman, editor of SearchEngineWatch, has put together a page detailing the lawsuits brought on revolving around META tags. At the present time there have already been at least five such suits, mainly focused on sites that utilized someone else’s keywords within their META tags. The largest of these suits brought a settlement of $3 million dollars. Bottom line: use your own keywords, and definitely not words that someone else has a copyright on.

Asynchronous JavaScript and XML (AJAX) is not a technology in itself, but is a term that describes a "new" approach to using a number of existing technologies together, including: HTML or XHTML, Cascading Style Sheets, JavaScript, The Document Object Model, XML, XSLT, and the XMLHttpRequest object. When these technologies are combined in the AJAX model, web applications are able to make quick, incremental updates to the user interface without reloading the entire browser page. This makes the application faster and more responsive to user actions.

Advantages of AJAX

Bandwidth usage

By generating the HTML locally within the browser, and only bringing down JavaScript calls and the actual data, Ajax web pages can appear to load relatively quickly since the payload coming down is much smaller in size, and the rest of the layout does not have to be redrawn on each update. An example of this technique is a large result set where multiple pages of data exist. With Ajax, the HTML of the page (e.g., a table structure with related TD and TR tags) can be produced locally in the browser and not brought down with the first page of the document. In addition to "load on demand" of contents, some web-based applications load stubs of event handlers and then load the functions on the fly. This technique significantly cuts down the bandwidth consumption for web applications. On the other hand, Ajax works on the client and shares some work of server, so that reduces the server load.

Separation of data, format, style, and function

A less specific benefit of the Ajax approach is that it tends to encourage programmers to clearly separate the methods and formats used for the different aspects of information delivery via the web. Although Ajax can appear to be a jumble of languages and techniques, and programmers are free to adopt and adapt whatever works for them, they are generally propelled by the development motive itself to adopt separation among the following:

1. Raw data or content to be delivered, which is normally embedded in XML and sometimes derived from a server-side database.
2. Format or structure of the webpage, which is almost always built in HTML or XHTML and is then reflected and made available to dynamic manipulation in the DOM.
3. Style elements of the webpage: everything from fonts to picture placement are derived by reference to embedded or referenced CSS.
4. Functionality of the webpage, which is provided by a combination of:
1. Javascript on the client browser (Also called DHTML),
2. Standard HTTP and XMLHttp or client-to-server communication, and
3. Server-side scripting and/or programs using any suitable language preferred by the programmer to receive the client’s specific requests and respond appropriately.

Disadvantages of AJAX

Browser integration

The dynamically created page does not register itself with the browser history engine, so triggering the "Back" function of the users’ browser might not bring the desired result.

Developers have implemented various solutions to this problem. These solutions can involve using invisible IFRAMEs to invoke changes that populate the history used by a browser’s back button. Google Maps, for example, performs searches in an invisible IFRAME and then pulls results back into an element on the visible web page. The World Wide Web Consortium (W3C) did not include an IFRAME element in its XHTML 1.1 Recommendation; the Consortium recommends the object element instead.

Another issue is that dynamic web page updates make it difficult for a user to bookmark a particular state of the application. Solutions to this problem exist, many of which use the URL fragment identifier (the portion of a URL after the ‘#’[7][8]) to keep track of, and allow users to return to, the application in a given state. This is possible because many browsers allow JavaScript to update the fragment identifier of the URL dynamically, so that Ajax applications can maintain it as the user changes the application’s state. This solution also improves back-button support. It is not, however, a complete solution.

Response-time concerns

Network latency — or the interval between user request and server response — needs to be considered carefully during Ajax development. Without clear feedback to the user,[9] preloading of data and proper handling of the XMLHttpRequest object, users might experience delays in the interface of the web application, something which they might not expect or understand. Additionally, when an entire page is rendered there is a brief moment of re-adjustment for the eye when the content changes. The lack of this re-adjustment with smaller portions of the screen changing makes the latency more apparent. The use of visual feedback (such as throbbers) to alert the user of background activity and/or preloading of content and data are often suggested solutions to these latency issues.

Search engine optimization

Websites that use Ajax to load data which should be indexed by search engines must be careful to provide equivalent Sitemaps data at a public, linked URL that the search engine can read, as search engines do not generally execute the JavaScript code required for Ajax functionality. This problem is not specific to Ajax, as the same issue occurs with sites that provide dynamic data as a full-page refresh in response to, say, a form submit (the general problem is sometimes called the hidden, or deep web).

Reliance on JavaScript and the DOM

Ajax relies on JavaScript and the browser’s Document Object Model (DOM), which are often implemented differently by different browsers or versions of a particular browser. Because of this, sites that use JavaScript may need to be tested in multiple browsers to check for compatibility issues. It’s common to see JavaScript code written twice, one part for IE, another part for Mozilla compatibles, although this is less true with the release of IE7 and with the now-common use of JavaScript abstraction libraries like the Prototype JavaScript Framework or Jquery. Such libraries abstract browser-specific differences from the web developer.

The level of IDE support for JavaScript used to be poor, although it is changing with more wide-spread use of tools like firebug, IE Developer Toolbar and Venkman.

An issue also arises if the user has switched off JavaScript support in the browser, thus disabling the functionality built into the pages.

Web analytics

Many web analytics solutions are based on the paradigm of a new page being loaded whenever new or updated content is displayed to the user, or to track a series of steps in a process such as a check-out. Since Ajax alters this process, care must be taken to account for how to instrument a page or a portion of a page so that it can be accurately tracked. Analytics systems which allow for the tracking of events other than a simple page view, such as the click of a button or link, are the ones most likely to be able to accommodate a site which heavily utilizes Ajax.

Recently, i have seen a buzz about various frameworks available for PHP. If you have not used a framework and planning to use one, step back, first evaluate your requirements. All frameworks despite being promoted as a rapid application development tool, consider the learning curve that may take place. Learning curve varies for each application framework. If you are doing a one off application, it will be better to do a customize application on your own. You may be able to produce a workable, efficient and lean application faster than when using a framework. If however, your requirement is using this application every in every project that you will be engaging into, then fine, go to frameworks and it will save you development in the long term.

Rasmus Lerdorf (creator of the PHP programming language) is actually against using frameworks in his blog, The-no-framework-PHP-MVC-framework. Rasmus quoted in his blog "…I just happen find most of them too complex for my needs and this is a proposed alternative…". Even Rasmus accepts that fact that frameworks are too complex and argued that the same could be achieved in PHP without using additional external layers. Rasmus provided an example using Yahoo! Application.

Manuel Lemos (PHP Classes) in his blog, Recommended PHP Frameworks (Recommended-PHP-frameworks) provided an advice on what criteria is relevant when choosing a framework that addresses the needs of each PHP developer. He also explained why certain frameworks seem very popular while others are not getting as much attention as their developers hoped. Finally, Manuel Lemos mentioned a long list of packages and tools that make up the framework that is used to implement the PHPClasses site.

Frameworks are always considered as rapid application development tools which make frameworks very appealing at the first instance. However, as Rasmus said in his blog, nobody will build your application for you no matter what the framework promises. Instead you might end up fixing mistakes for the framework instead of spending your time building a lean and reusable pattern that fits your requirements directly.

Here is the list of various PHP Frameworks (All are suitable for particular need but none is viable for all situations)

1. PHP on Trax Strictly follows Ruby on Rails syntax and functionality but written in php5. Originally called PHP on Rails.
2. Agavi an open-source, LGPL licensed MVC framework for creating applications written using PHP5.
3. Akelos PHP Framework a Ruby on Rails port to PHP4/5.
4. BareBonesMVC A one-file, no-configuration, MVC framework for PHP5.
5. CakePHP webapplication framework modeled after the concepts of Ruby on Rails.
6. CodeIgniter A PHP MVC framework.
7. DragonPHP MVC2 Framework for PHP 5.
8. Fusebox Framework for building ColdFusion and PHP web applications.
9. FUSE A powerful but easy-to-use PHP 5 Framework for MVC development
10. KohanaPHP A powerful, lightweight, easily extendable PHP 5 MVC Framework.
11. LightVC Lightweight PHP 5 Strict MVC Framework with decoupling of Model and other non-View-Controller essentials to promote code reuse.
12. Odin Assemble Small footprint PHP based MVC Framework.
13. phpHtmlLib MVC based OO framework compatible with PHP4 and PHP5 licensed under GNU LGPL.
14. phpXCore A MVC design pattern based PHP content management framework compatible with PHP4 and PHP5.
15. PRADO A PHP 5 MVC framework.
16. SilverStripe contains a fully fledged PHP 5.2 ORM/MVC Framework focused on building websites.
17. Solar PHP 5 framework Solar is a PHP 5 framework for rapid application development. It is fully name-spaced and uses enterprise application design patterns, with built-in support for localization and configuration at all levels.
18. OnPHP onPHP is the mature GPL’ed multi-purpose object-oriented PHP framework (plus c-module)
19. Switch board with Routing PHP 5 MVC Framework with Routing.
20. Symfony Framework PHP 5 MVC Framework.
21. TinyMVC Framework Framework Simple and lightweight PHP5 MVC (Model-View-Controller) framework.
22. TYPO3 extension library lib/div PHP 4/5 MVC framework for TYPO3 extension development
23. Qcodo is an open-source PHP 5 web application framework
24. Zend Framework A PHP 5-based MVC framework.
25. ZNF PHP5 MVC framework for enterprise web applications
26.Zoop Framework A Mature PHP 4/5 MVC framework.

Model-view-controller (MVC)

is an architectural pattern, which at the same time is also a Multitier architecture, used in software engineering. In complex computer applications that present a large amount of data to the user, a developer often wishes to separate data (model) and user interface (view) concerns, so that changes to the user interface will not affect data handling, and that the data can be reorganized without changing the user interface. The model-view-controller solves this problem by decoupling data access and business logic from data presentation and user interaction, by introducing an intermediate component: the controller.

MVC Pattern description

It is common to split an application into separate layers: presentation (UI), domain logic, and data access. In MVC the presentation layer is further separated into view and controller. MVC encompasses more of the architecture of an application than is typical for a design pattern.

Model
The domain-specific representation of the information that the application operates. Domain logic adds meaning to raw data (e.g., calculating whether today is the user’s birthday, or the totals, taxes, and shipping charges for shopping cart items).
Many applications use a persistent storage mechanism (such as a database) to store data. MVC does not specifically mention the data access layer because it is understood to be underneath or encapsulated by the Model.
View
Renders the model into a form suitable for interaction, typically a user interface element. Multiple views can exist for a single model for different purposes.
Controller
Processes and responds to events, typically user actions, and may invoke changes on the model.

MVC is often seen in web applications, where the view is the actual HTML page, and the controller is the code that gathers dynamic data and generates the content within the HTML. Finally, the model is represented by the actual content, usually stored in a database or XML files.

Though MVC comes in different flavors, control flow generally works as follows:

1. The user interacts with the user interface in some way (e.g., presses a button).
2. A controller handles the input event from the user interface, often via a registered handler or callback.
3. The controller accesses the model, possibly updating it in a way appropriate to the user’s action (e.g., controller updates user’s Shopping cart).
4. A view uses the model (indirectly) to generate an appropriate user interface (e.g., the view produces a screen listing the shopping cart contents). The view gets its own data from the model. The model has no direct knowledge of the view.
5. The user interface waits for further user interactions, which begins the cycle anew.

By decoupling models and views, MVC helps to reduce the complexity in architectural design, and to increase flexibility and reuse.

Good and Evil of PHP

Generally, clients and developers are using many different programming languages to facilitate the needs of their customers and their applications. These applications include shopping carts, forums, content management system, blogs, and community portals. Over time you can see trends develop and fall in what types of applications are most popular and what languages are used most to write these applications. Some languages are popular for a while by both programmers and end users and then the popularity diminishes leaving only the hardcore developers. One language, however, that still maintains its popularity from end users to developers alike is PHP.

PHP (PHP HyperText Preprocessor) was first released in 1995 however, PHP 3.0, released in 1997, is the first version of PHP which can be considered an ancestor to today’s version. PHP 3.0 offered new features such as the ability to easily connect to different database types, API’s for ease of programming and many tie-ins to other popular functions and applications known as modules or extensions. With PHP 3.0’s object oriented nature, developers were able to easily build applications for the masses. By the end of 1998 PHP was installed on over 10% of the servers on the Internet. The most common version of PHP, PHP 4.0 was released officially in 2000. This version was rewritten from the ground up, building a new and more powerful core that could handle many different functions including sessions, output buffering, and advanced security features, as well as, wider support for web servers. This improvement in the core allowed more powerful, interactive applications to be developed with the ability to port them across numerous web servers. Today PHP is used by millions of sites worldwide due to its ease of use and ability to develop powerful, feature rich applications. According to Netcraft’s April 2006 PHP usage report over 20 million domains on the web use PHP in some form. TIOBE publishes a programming community index in which languages are ranked by developer popularity. This index shows that PHP is 4th in developer popularity, up from 5th place this time last year, so PHP is clearly on the rise, and with PHP5 gaining more support both from developers and end users, it shows no signs of slowing down.

However, there is an ugly side to PHP and its rise over the years. With PHP’s immense popularity and accessibility to inexperienced website owners through pre-built scripts and do-it-yourself auto-installers, it will come as no surprise that PHP coded applications are a favorite target of hackers and script kiddies. It does not help that PHP has regularly had numerous vulnerabilities and exploitable function throughout its life. These vulnerabilities, due to PHP’s popularity, are magnified as the exploitation of them spread like wildfire from one server to the next by automated attacks searching for the vulnerabilities. These vulnerabilities and the resulting attacks have long been a headache for web hosts trying to keep their servers from getting attacked or being hacked. In addition to the vulnerabilities, PHP has functions such as fopen(), include(), and exec() which in and of themselves are great tools for building dynamic applications. However when code is not written properly, a hole in which these functions can be exploited emerges, allowing script kiddies and what would normally be considered other low level attacks to run DOS attacks, PHP Shells, download exploits and execute other malicious code from your server that might otherwise be fairly secure. The wonderful nature and ease of deployment with PHP that does so much good, is the same reason that it’s a common tool for evil. One with malicious intent does not need high level experience or heightened permissions in order to inflict harm upon your systems. So what can you do to protect your servers and possibly you business before it gets hit by an attack?

PHP’s default installation is pretty liberal on what it allows out of the box and could use some tweaking for security. However PHP only really offers the “safe mode” option which essentially locks the PHP installation down and restricts users from using most functions, which is a difficult proposition for shared hosts wanting to allow their clients some flexibility and control of their code. Therefore you have to take a different approach to security. What is seen that the layered security model is much more effective compared to a “fix it all” application that you can buy, and most other methods.

The first thing we recommend is that if you are a developer or coder, make sure the code you write is secure. If you are a messy coder who just codes without thinking about the implications of your code, there are resources out there to help you. The PHP Security Consortium is an international organization of PHP experts that are dedicated to researching and publishing vulnerabilities, how to avoid them and other pertinent articles. For developers, there are other resources out there for you as well that are worth looking into. One of the easiest to use is the Writing Secure PHP Cheat Sheet located at http://www.ilovejackdaniels.com/php/writing-secure-php/ and is a great desk companion for when you are writing code. It takes a down to earth look at many of the coding practices that cause PHP vulnerabilities that have given web hosts and users many headaches. As a developer, you must be mindful of what you are doing and think about the possibility that your code could at some time be compromised. Web hosts and server administrators know they can not anticipate what every client will do with PHP, and for this reason, it is only the first line of defense. However, education and regular updates on writing secure code and new vulnerabilities can go a long way.

Secondly, we recommend securing your system in a layered manner if you can, or use a web host that does. If you are unsure what your current web host does for security you can use this article as a basis of questions for them. The following are steps which can be followed to increase security and stability related to PHP by significantly measurable margins, and has helped reduce PHP security related incidents.

1. If you are not already subscribed, you should subscribe to the Security Focus newsletter. Not only do vulnerabilities for PHP get listed but other vulnerabilities pertaining to your entire server.
2. Regularly visit the PHP Security Consortium Website, it may be primarily for developers however web hosts and server administrators should be aware of many vulnerabilities so you can explain them to your customers. Education in many cases can be the key.
3. Setup a PHP security FAQ for those customers who do their own coding and for those customers who have developers. The Open Web Application Security Project has published a top ten PHP security blunders article which is a good start for a FAQ. (http://www.sklar.com/page/article/owasp-top-ten)
4. Implement a firewall solution. This can be either a software firewall or a hardware firewall. For a software firewall we recommend APF. Use both Cisco PIX hardware firewalls and software for added layering. This step will help out for other general security issues as well. In addition, a firewall is great for blocking sniffers when found as they tend to cause increases in load and resource consumption even if they ultimately do not find a vulnerability on your system. Closing off all unused access points and changing the way you connect to the ones you do use is always a good security idea.
5. Implement an intrusion detection package like BFD which will work with APF software firewall and will automatically block suspect IP’s.
6. Implement Mod Security for your Apache based web servers. Mod_security is a life saver in combating vulnerabilities, especially with the many PHPBB vulnerabilities that have existed in the past. Got Root has many custom rules that you can download and use to help protect the server.
7. In php.ini disable allow_url_fopen and only allow it on a per user basis so that you can control who uses this. Some shared hosting clients may take issue with this, but once the ramifications are explained, the vast majority is supportive. Ultimately, system administrators, clients and users want stability.
8. Restrict access to functions like phpinfo, dl, readfile, and exec.
9. Setup and configure Open BaseDir for your server users.
10. Ensure temporary directories such as /tmp and /var/tmp will not allow execution of scripts that could be created there due to insecure PHP code.
11. Disable register_globals in php.ini. If a customer needs this for their scripts to function it can be enabled on a per account basis.
12. Disable access to binaries on your system. By default, PHP allows an application to access any binary on the system through the system() and exec() functions. In many cases a web host cannot just disable access to these functions without breaking an application or two. However there are creative ways in which a system administrator can limit the binaries which PHP can see, thus reducing the number of binaries allowed to those that the system administrator wants to allow.

With the above steps you should be able to curb many of the most common and some not so common vulnerabilities that web hosts will encounter when customers use PHP scripts. Therefore its recommended that implementing them in your environment will ease frustration and increase security.

A new battlefront is beginning to grow with the spread of PHP5 outside of the development community into the mainstream arena. Although PHP5 is developed to take object oriented programming to the next level, allowing developers to write cleaner, friendlier and more optimized code, this does not mean that applications without holes will always be created. Just as with any new software version, there are going to be new hurdles, holes and problems to overcome. However, you are lucky due to the fact that the php.ini for PHP5 is not greatly changed so many of these processes can be duplicated in PHP5 allowing you to start securing even the newest PHP versions to a more suitable level.

Remember security isn’t something you can just tack on; it’s a team effort involving users, developers, administrators and providers. If it is not integrated into the design of your overall processes and continually looked at, you are seriously increasing your risk of being attacked. That could mean potential disaster for you and your business.