PHP Security Basics

Security while developing PHP-based web applications becomes extremely important when handling sensitive information or large amounts of data. When researching effective PHP security practices, I constantly came across suggestions and solutions that had loopholes hackers could bypass. One of the most important things to know about PHP security is not necessarily the best practices that will eliminate all vulnerability to hacks, but understanding that each security measure put in place blocks another degree of amateur hackers.

These simple and effective security measures will eliminate your site’s vulnerability to certain hackers.

Filter All Input

Is is necessary to make certain that any input received from users is sanitized and filtered before being used or saved. This includes all $_POST input from forms and $_GET input from the URL string. Wrapping these variables in htmlentities() before continuing is very easy and one of the simplest ways to avoid using tainted data.

In addition, with important variables, be sure to check that it is the correct data type. If your application for example, is looking for an integer being passed in through a form, and a user enters a string, your application could crash if the invalid input was not correctly handled. PHP has many functions that can help you check the validity of the type of input, such as is_int() and intval().

When storing or retrieving data from a database based upon a user’s input, always wrap this input in mysql_real_escape_string(). In a form that retrieves database entries based upon a user’s input, this function will prevent hackers from sneakily entering values into the input field that would expose or delete the entire table or database.

Try Hacking Your Own Site

To determine the level of security on your PHP web application, try hacking your own application as you work. Display warning signs when invalid input is given, and then try inserting all sorts of invalid data. The error messages should tell you when invalid data was entered, and whether or not your application detected it. But remember to remove these error messages when you are done so that hackers are unable to determine the problem and work their way around it!