Chapter 9. PHP Security

In today’s world of identity theft and credit card fraud, it is imperative for websites to be as secure as possible. It has been proven time and again that nothing is 100 percent foolproof in the security field, so it behooves (I’ve always wanted to use that word in a book) us to be as diligent as possible in protecting the information and websites that have been placed in our trust. When using PHP, there are a number of best practices to follow in an attempt to mitigate the risks.

The most vulnerable portions of a website are any places where data is entered or manipulated. Although that sounds vague and indicates a potentially large target area, I really mean to make you think about all of the areas in your websites where potential attackers can interact with your site. Let’s examine these areas in detail and look at some examples of how you can reduce their vulnerabilities.

Data Validation

Any area of your website that allows for data input is a potential risk area: data entry forms, search inputs, query strings, and so on. The general rule of thumb here is to treat any outside source of data as suspect, and to manage it by filtering it as soon as it becomes available to you. What does filtering mean? Well, once data is passed to your control, you inspect it and alter it if needed—or reject it if it does not meet your input criterion. This is known as validating your data on the most basic of levels. The section Cross-Site Scripting (XXS) and SQL ...

Get PHP: The Good Parts now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.