Secure PHP Coding Tips – Hands On

Finding a list of what not to do when coding in PHP is easy enough, but what is often lacking are real world examples of how to remediate insecure code. Here are a few common insecure coding practices to watch out for in PHP code, and applicable ways you can fix them today.

  1. SQL Injection vulnerabilities: Be careful when using user input in SQL queries. Use prepared statements with bound parameters instead of concatenating user input with SQL statements.
  2. Cross-Site Scripting (XSS) vulnerabilities: Make sure to sanitize user input before displaying it on the website to prevent malicious scripts from running on the client’s browser.
  3. File inclusion vulnerabilities: Avoid using user-controlled input in file inclusion functions like require() or include(). Instead, use whitelists or restrict access to certain files and directories.
  4. Insecure session management: Ensure that session IDs are generated securely and are not vulnerable to session fixation attacks. Also, make sure to destroy session variables when they are no longer needed.
  5. Insecure password storage: Do not store passwords in plain text. Use secure hashing algorithms such as bcrypt to hash and salt passwords.
  6. Code injection vulnerabilities: Avoid using user-controlled input in eval() or similar functions that can execute arbitrary code.

These are just a few examples of insecure coding practices in PHP. Finding similar insecurities in your can take some coordinated planning, careful searches.