PHP provides a strong toolset with immense power. Used carefully and with attention to detail, it allows the creation of complex, flexible and robust applications. A drawback of this powerful functionality is, that without this attention, malicious users can use open doors to attack your site in various ways. In order to prevent this atttacks, there are some basic rules a serious programmer should follow. These guidelines neither make your application totally immune nor is it a complete list – but they aggravate the work of hackers and contribute to a more secure coding style.

Filter all input data

If data originates from a foreign source, like user input, it should be considered as tainted. The same applies for PHP superglobal arrays. Before processing this data, it’s important to filter it and to ensure that it matches your expectations. Be careful about client-side validation: it’s only for usability, server-side validation is for security. (Read more about form validation and processing).

Escape all output data

Anything that leaves your application must be considered as output. The client receiving this output can be anything from a Web browser to a database server. While filtering input protects your application from harmful data, escaping output protects the client and user from malicious commands. Clients take action when encountering special characters and escaping depends on the destination of output. For the right strategy you must know your destination to escape those characters or commands accordingly.

Initialize variables in global context and use constants

A characteristic of PHP – and a possible security hole – is, that variables don’t have to be initialized. Combined with the register_globals = On configuration directive, harmful values can easily be injected into scripts. As a best practice, always initialize your variables before use ( and set register_globals=Off).

Constants have the advantage that they can’t be overwritten. At least for values using in your include paths, you should prefer them to variables.

Use tokens to verify the source of data

While proper output escaping will prevent your application form beeing used as vehicle for attacks, it will not protect it from beeing attacked by forged requests. Thus, your application needs the ability to determine whether the request was intentional and legitimate. A token method can block these attempts and force users to use the forms you defined. Create a unique token and store it in your session. Submit this token with form data and compare the two token values before processing the input.

Regenerate session ids and check request headers

To prevent session attacks like fixation, session keys should be regenerated on a regular basis, at least when the user gains a higher level of permission.
Another way to identify the user in addition to his session id is to check various request headers. One that is particularly helpful ist the User-Agent. It can be used to determin a possible session hijacking attempt.

Mind tainted data in filesystem actions

As a rule of thumb, never use tainted data in include, require, shell commands or file operating functions. If you do so, make sure all data is filtered. If you don’t, you run the risk of remote code injection which can have devastating consequences for your application.

PHP and Apache configuration

For the configuration of your PHP and Apached installation be careful about the right settings for the following values: allow_url_fopen, safe_mode, open_basedir, register_globals and display_errors.