Hi guys. I hope this is okay. If not, I’m happy to remove it.
This is so important to me as a learning coder (and should be to everyone) so I wanted to put down a summary of my PHP security understanding and do’s/dont’s when it comes to building a php application.
It’s a list that I will maintain with any information/tips/tricks that the experienced members reply with and consists of 3 main topics of which I am aware (at this point) are the main security areas that should be considered.
Let me know if anything should be amended, added, removed or elaborated on.
Never trust input from an unknown source, especially user input from forms.
Always validate and sanitize data that is not presented directly within your code e.g. user form.
Never rely on the
$_REQUESTsuperglobal, always specifically define
Always use the
trim()function on $_POST variables prior to validation.
Always handle errors effectively within your production environment by : Setting
error_reportingto E_ALL || setting
display_errorsto OFF || setting
log_errorsto on (to ensure you are able to capture generated errors within your script) || setting
error_logto effectively define the path where log_errors should be saved within your site root.
Always store application sensitive data files (e.g. database connection include) outside of the public html folder of your production environment. Most hosting companies provide a private html folder that can be used.
- Always use PDO & Prepared Statements for all DB CRUD operations as it negates the risk of SQL Injection.
CROSS SITE SCRIPTING (XSS)
Always declare the utf-8 character encoding as the first meta tag in the head of your html pages
Implement CSRF (Cross Site Request Forgery) token protection methodology on all form input.
Regardless of the source, always wrap generated output to the browser in the
htmlentities($string, ENT_QUOTES, 'UTF-8')function.
Extra stringent validation methods must be implemented in forms that allow file uploads
If anybody has links to good content anywhere on this forum, that provides a guide or further information to any of the above points, then please share and I will embed them in the post.