Tips for Creating Secure PHP Applications

PHP is considered an open-source scripting language. Vizteck is giving you tips for creating secure PHP Applications through this guide!




January 28, 2014





To have a secure PHP application, one should use a proper error-reporting application. When error reporting is used during app development, it helps find spelling mistakes in the variables, detect incorrect function usage, and many other errors. Before the site goes live, it is better to hide the error reporting application because it contains information like the software installed, the installed folder, and other sensitive information which is visible to the audience.



Cross-Site Scripting (XSS) Attacks in User Input

Most applications allow users to submit their input. Once submitted, these can be displayed on the web as comments, threads or blog posts in HTML code form. Accepting HTML input is dangerous as it can execute JavaScript to create havoc in the app. If one hole is left open, cookies could also be hijacked. Hijacking the cookie will allow access to a real account, through which data can be copied and illegally used. To prevent such attacks HTML can be blocked from addiction. Doing this will affect formatting, which won’t suit forums or blogs.


Protecting against SQL Injection

SQL injection is the most common security attack. It occurs when data goes unchecked, and the app isn’t able to escape characters used in SQL strings such as single quotes or double quotes. It is important to protect them otherwise users will be able to exploit them by making queries always true thereby tricking the login systems.

prepare($sql);$stmt->execute (array("uname" => $name, "uage" => $age));?>


Protecting Session Data

Session information gets saved to a temp directory. If you are using a shared hosting server, a hacker can write a script and read the session data. Sensitive information like passwords or credit card numbers should never be saved in a session. Encrypting the information stored in the session helps to safeguard it. This makes the data unreadable but doesn’t solve the problem.


Validate Input

Input validation is a great way to protect data. Most of the time, it is known what the range of the input data will be. Validating the input will allow only certain data to be input. For example, if a birthday app is created, the month should be accepted as a digit between 1-12, the day between 1-31, and the year in YYYY format.

if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['newmonth'] ) ){ // handle error}if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['newday'] ) ){ // handle error}if ( ! preg_match( "/^[0-9]{4}$/", $_GET['newyear'] ) ){ // handle error}


Output Filtering

Output filtering is also important. Avoiding the wrong output characters will help prevent page rendering breakage. This also blocks JavaScript attacks injected by malicious users. The following functions are helpful for cleaning up text:

htmlspecialchars(): It converts the special HTML characters into entitieshtmlentities(): It converts all the possible characters into HTML entitiesstrip_tags(): It removes all the HTML tags used in a string


Use POST for Dangerous Actions

The two most common methods to send data to a PHP application are ‘GET’ and ‘POST’. ‘GET’ adds variables at the end of URL’s like ‘POST’ sends variables in the body of the request which isn’t visible to the user. ‘POST’ is perfect for use in a potentially dangerous action like deleting since ‘GET’ allows easy access to a URL.

img src="" alt="" />

Islamabad, Pakistan

Floor 2, Building 145, Civic Center Bahria Town Phase 4, Islamabad, Pakistan


1 squire armor road, windham, NH,03076

Saudi Arabia

7654 Prince Nawaf Street, Al Khobar, 34426

Kingdom Of Bahrain

No 851, Bldg No 2420, Rd No 2831, Seef District, Block 428