Because security is such an important issue, we want to reiterate the main points of this chapter as well as add a few additional tips:
Filter input to be sure that all data you receive from remote sources is the data you expect. Remember, the stricter your filtering logic, the safer your application.
Escape output in a context-aware manner to be sure that your data isn’t misinterpreted by a remote system.
Always initialize your variables. This is especially important
allow_url_fopen. See http://www.php.net for details on these
Whenever you construct a filename, check the components with
Store includes outside of the document root. It is better to not name your included files with the .inc extension. Name them with a .php extension, or some other less obvious extension.
session_regenerate_id() whenever a user’s
privilege level changes.
Whenever you construct a filename from a user-supplied
component, check the components with
Don’t create a file and then change its permissions. Instead,
umask() so that the file is
created with the correct permissions.
Don’t use user-supplied data with
preg_replace() with the
/e option, or any of the system
passthru(), and the backtick (