Skip Navigation

Writing Secure PHP

Posted July 16, 2004 in PHP

PHP is a very easy language to learn, and many people without any sort of background in programming learn it as a way to add interactivity to their web sites. Unfortunately, that often means PHP programmers, especially those newer to web development, are unaware of the potential security risks their web applications can contain. Here are a few of the more common security problems and how to avoid them.

[Writing Secure PHP is a series. Part 2, Part 3 and Part 4 are currently also available.]

Rule Number One: Never, Ever, Trust Your Users

It can never be said enough times, you should never, ever, ever trust your users to send you the data you expect. I have heard many people respond to that with something like "Oh, nobody malicious would be interested in my site". Leaving aside that that could not be more wrong, it is not always a malicious user who can exploit a security hole - problems can just as easily arise because of a user unintentionally doing something wrong.

So the cardinal rule of all web development, and I can't stress it enough, is: Never, Ever, Trust Your Users. Assume every single piece of data your site collects from a user contains malicious code. Always. That includes data you think you have checked with client-side validation, for example using JavaScript. If you can manage that, you'll be off to a good start. If PHP security is important to you, this single point is the most important to learn. Personally, I have a "PHP Security" sheet next to my desk with major points on, and this is in large bold text, right at the top.

Global Variables

In many languages you must explicitly create a variable in order to use it. In PHP, there is an option, "register_globals", that you can set in php.ini that allows you to use global variables, ones you do not need to explicitly create.

Consider the following code:

  1. if ($password == "my_password") {
  2. $authorized = 1;
  3. }
  4.  
  5. if ($authorized == 1) {
  6. echo "Lots of important stuff.";
  7. }

To many that may look fine, and in fact this exact type of code is in use all over the web. However, if a server has "register_globals" set to on, then simply adding "?authorized=1" to the URL will give anyone free access to exactly what you do not want everyone to see. This is one of the most common PHP security problems.

Fortunately, this has a couple of possible simple solutions. The first, and perhaps the best, is to set "register_globals" to off. The second is to ensure that you only use variables that you have explicitly set yourself. In the above example, that would mean adding "$authorized = 0;" at the beginning of the script:

  1. $authorized = 0;
  2. if ($password == "my_password") {
  3. $authorized = 1;
  4. }
  5.  
  6. if ($authorized == 1) {
  7. echo "Lots of important stuff.";
  8. }

Error Messages

Errors are a very useful tool for both programmer and hacker. A developer needs them in order to fix bugs. A hacker can use them to find out all sorts of information about a site, from the directory structure of the server to database login information. If possible, it is best to turn off all error reporting in a live application. PHP can be told to do this through .htaccess or php.ini, by setting "error_reporting" to "0". If you have a development environment, you can set a different error reporting level for that.

SQL Injection

One of PHP's greatest strengths is the ease with which it can communicate with databases, most notably MySQL. Many people make extensive use of this, and a great many sites, including this one, rely on databases to function.

However, as you would expect, with that much power there are potentially huge security problems you can face. Fortunately, there are plenty of solutions. The most common security hazard faced when interacting with a database is that of SQL Injection - when a user uses a security glitch to run SQL queries on your database.

Let's use a common example. Many login systems feature a line that looks a lot like this when checking the username and password entered into a form by a user against a database of valid username and password combinations, for example to control access to an administration area:

  1. $check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$_POST['username']."' and Password = '".$_POST['password']."'");

Look familiar? It may well do. And on the face of it, the above does not look like it could do much damage. But let's say for a moment that I enter the following into the "username" input box in the form and submit it:

  1. ' OR 1=1 #

The query that is going to be executed will now look like this:

  1. SELECT Username, Password FROM Users WHERE Username = '' OR 1=1 #' and Password = ''

The hash symbol (#) tells MySQL that everything following it is a comment and to ignore it. So it will actually only execute the SQL up to that point. As 1 always equals 1, the SQL will return all of the usernames and passwords from the database. And as the first username and password combination in most user login databases is the admin user, the person who simply entered a few symbols in a username box is now logged in as your website administrator, with the same powers they would have if they actually knew the username and password.

With a little creativity, the above can be exploited further, allowing a user to create their own login account, read credit card numbers or even wipe a database clean.

Fortunately, this type of vulnerability is easy enough to work around. By checking for apostrophes in the items we enter into the database, and removing or neutralising them, we can prevent anyone from running their own SQL code on our database. The function below would do the trick:

  1. function make_safe($variable) {
  2. $variable = mysql_real_escape_string(trim($variable));
  3. return $variable;
  4. }

Now, to modify our query. Instead of using _POST variables as in the query above, we now run all user data through the make_safe function, resulting in the following code:

  1. $username = make_safe($_POST['username']);
  2. $password = make_safe($_POST['password']);
  3. $check = mysql_query("SELECT Username, Password, UserLevel FROM Users WHERE Username = '".$username."' and Password = '".$password."'");

Now, if a user entered the malicious data above, the query will look like the following, which is perfectly harmless. The following query will select from a database where the username is equal to "\' OR 1=1 #".

  1. SELECT Username, Password, UserLevel FROM Users WHERE Username = '\' OR 1=1 #' and Password = ''

Now, unless you happen to have a user with a very unusual username and a blank password, your malicious attacker will not be able to do any damage at all. It is important to check all data passed to your database like this, however secure you think it is. HTTP Headers sent from the user can be faked. Their referral address can be faked. Their browsers User Agent string can be faked. Do not trust a single piece of data sent by the user, though, and you will be fine.

File Manipulation

Some sites currently running on the web today have URLs that look like this:

  1. index.php?page=contactus.html

The "index.php" file then simply includes the "contactus.html" file, and the site appears to work. However, the user can very easily change the "contactus.html" bit to anything they like. For example, if you are using Apache's mod_auth to protect files and have saved your password in a file named ".htpasswd" (the conventional name), then if a user were to visit the following address, the script would output your username and password:

  1. index.php?page=.htpasswd

By changing the URL, on some systems, to reference a file on another server, they could even run PHP that they have written on your site. Scared? You should be. Fortunately, again, this is reasonably easy to protect against. First, make sure you have correctly set "open_basedir" in your php.ini file, and have set "allow_url_fopen" to "off". That will prevent most of these kinds of attacks by preventing the inclusion of remote files and system files. Next, if you can, check the file requested against a list of valid files. If you limit the files that can be accessed using this script, you will save yourself a lot of aggravation later.

Using Defaults

When MySQL is installed, it uses a default username of "root" and blank password. SQL Server uses "sa" as the default user with a blank password. If someone finds the address of your database server and wants to try to log in, these are the first combinations they will try. If you have not set a different password (and ideally username as well) than the default, then you may well wake up one morning to find your database has been wiped and all your customers' credit card numbers stolen. The same applies to all software you use - if software comes with default username or password, change them.

Leaving Installation Files Online

Many PHP programs come with installation files. Many of these are self-deleting once run, and many applications will refuse to run until you delete the installation files. Many however, will not pay the blindest bit of attention if the install files are still online. If they are still online, they may still be usable, and someone may be able to use them to overwrite your entire site.

Predictability

Let us imagine for a second that your site has attracted the attention of a Bad Person. This Bad Person wants to break in to your administration area, and change all of your product descriptions to "This Product Sucks". I would hazard a guess that their first step will be to go to http://www.yoursite.com/admin/ - just in case it exists. Placing your sensitive files and folders somewhere predictable like that makes life for potential hackers that little bit easier.

With this in mind, make sure you name your sensitive files and folders so that they are tough to guess. Placing your admin area at http://www.yoursite.com/jsfh8sfsifuhsi8392/ might make it harder to just type in quickly, but it adds an extra layer of security to your site. Pick something memorable by all means if you need an address you can remember quickly, but don't pick "admin" or "administration" (or your username or password). Pick something unusual.

The same applies to usernames and passwords. If you have an admin area, do not use "admin" as the username and "password" as the password. Pick something unusual, ideally with both letters and numbers (some hackers use something called a "dictionary attack", trying every word in a dictionary as a password until they find a word that works - adding a couple of digits to the end of a password renders this type of attack useless). It is also wise to change your password fairly regularly (every month or two).

Finally, make sure that your error messages give nothing away. If your admin area gives an error message saying "Unknown Username" when a bad username is entered and "Wrong Password" when the wrong password is entered, a malicious user will know when they've managed to guess a valid username. Using a generic "Login Error" error message for both of the above means that a malicious user will have no idea if it is the username or password he has entered that is wrong.

Finally, Be Completely and Utterly Paranoid

If you assume your site will never come under attack, or face any problems of any sort, then when something eventually does go wrong, you will be in massive amounts of trouble. If, on the other hand, you assume every single visitor to your site is out to get you and you are permanently at war, you will help yourself to keep your site secure, and be prepared in case things should go wrong.

Ready for more? Try Writing Secure PHP, Part 2.

Writing Secure PHP was posted July 16, 2004 in PHP and has been tagged with programming, web, development, webdev, mysql, code, webdesign, php, security, coding, tutorial and tips.

71 comments

Keep up to date with this discussion with RSS or Atom.
Joen Olsen
Denmark #1: July 16, 2004
Very nice article indeed. I learned a few things - for example, I didn't know that the default user of SQL Server is 'sa' :P
Just kidding.
However, for newbies this is must-have knowledge. Keep up the good work.
Rory
Unknown #2: July 20, 2004
Hehe ;-) I also learnt that the default SQL Server pass is 'sa' :p
Nice article, but would like more info...
Hi,

your article gives me simple and understandable answers, and also guide you to the right way of paranoia.

Thx!

Greetings

Rene
This was a great help to me being a PHP newbie.
Hope to see more articles from you on this subject and keep up the great work.
Anonymous
India #5: February 5, 2005
Thank You for the above article.

Can we hide the directory structure from the user.

Please send me reply to shabbu_sms@rediffmail.com
A good article especially the Mysql section,it's always a good idea to check data submited by the user for auth. It should be pointed out that a carefully writen query using MIN/MAX with grouping will also deter the script kiddies and reduce load on the database.
Would be helpful if there was print this article button,

Keep up the good work.
Funny you should say that, ac - there is one on the right, but I've been wondering if it's obvious enough or not. Clearly, it's not!
JD
United States #9: April 26, 2005
I would rephrase the first point.
Instead of saying 'Never ever trust your users', I would say 'Never ever trust any outside data.'

I think above sentence would cover more scenarios + it's better because you do want to trust your users/customers (in general) but you want to be very skeptical about all the data you receive.

Other than this, I think it's a good starting point in Security for budding PHP programmers. :)
That's actually quite funny. First of all, as an experienced PHP developer, I can tell you that Writing Secure PHP is an oxy-moron. The proper term is HACKING! and don't get me started on secure PHP.
Very good coverage of the basics; good as a tutorial and refresher. The cardinal rule of "don't trust the user's data" can never be repeated too often.

I have some bones to pick, however. ;-)

Error Messages
==
You're right that in a live environment, it is very bad to display PHP's errors to the user, since they contain backend-specific info a hacker can use against you.

A better method than turning off error_reporting() is to turn off 'display_errors', and use 'log_errors' and 'error_log'. This way developers can still get errors from misbehaving applications, and it won't trouble the user. <http://us2.php.net/manual/en/ref.errorfunc.php>

Predictability
==
The example about where to store the administration interface smacks of security through obscurity. Repeat it with me: "security through obscurity is not security".

Changing 'admin' to 'gobbledygook' adds a fraction of a percent of security. You MUST rely on -actual- security methods anyway, like a good password, the register_globals advice you gave earlier, and other methods of battening down the hatches on your application. Putting a curtain over the hatch does so little it's not even worth it. ;-)
I agree on both counts, Darkside. I have left out the extra error reporting options entirely, as the purpose of this article is to explain the very basics and give people an idea of what to do to make their sites more secure. I've written an article on the php.ini file sa well which explains how to set up error reporting properly, but I felt to go into that in this article would have been getting too involved for what is an introduction.

You are right, as well, about security through obscurity. While I don't pretend for a second that putting an admin area somewhere random rather than at "/admin" will make the world of difference, it may help deter the casual inquisitor. In general, predictability applies to usernames and passwords more than anything else.
Gant
United States #13: April 28, 2005
I've seen SQL injection be a real problem with ASP, but doesn't PHP do addslashes for you? I've never had a problem with SQL injection with login code. But then again I use $username and not the POST array. Any info here would be great. But I tried the little ' 1=1 # and there's no SQL possible.

I would however talk about SQL injection with where the single quote is non-existant.
IE, "SELECT * WHERE `key` > $input;
The aforementioned is asking for SQL injection.

Also, it would be kewl to cover basics of XSS for newbs designing sites. A lot of people don't know that even if they do all this securely, malicious JScript could rip it all away.
PHP can do addslashes for you, with "magic quotes". But that isn't a safe way to go - apart from anything else, a server config can change and magic quotes might be turned off. It is far better to be sure by escaping slashes yourself.

Using $username rather than the post array is not really any different. It does imply you have "register_globals" set to on in your server config, and that is a major security problem.

The ' or 1=1 # injection is just one example of it. If you are not escaping characters, the above still might not work, but it usually is fairly easy to tell if someone is open to this vulnerability and then exploit it.
Iam using this instead of addslashes

$passwd = mysql_escape_string($passwd);

what do you think is better?
If you can use mysql_escape_string (or even better, mysql_real_escape_string), that is better. It escapes slashes, as well as other special characters. It is not always available, unfortunately, but if it is, it is worth using. Remember also it will not work with SQL Server etc.
Simon
New Zealand #17: April 30, 2005
First, mysql_real_escape_string() is better than addslashes().

Also - you can simply use typecasting to make sure your data is safe. For example, if you're expecting a number:

$var = (int) $_GET['var'];

Third, I like to have at least 2 mysql user accounts in addition to root. I generally have the user 'mysql' who can ONLY select data (& not from the 'mysql' database). Next, I use an 'admin' account who can ONLY SELECT, INSERT, UPDATE, DELETE. I only use the admin account when I have to.

--Simon
Eriko Morais
Brazil #18: May 4, 2005
I haven´t seen anything about db connection encrypting... once the db password is written in plain text, isn´t this a security fault?
Sigmund
Norway #19: May 9, 2005
Good article, but you've not yet mentioned one very good way to validate user input. All http transmitted variables (post & get) are strings. So using

if ($authorized === 1) {
echo "Lots of important stuff.";
}

would actually be quite secure (three =-signs forces type-checking). But that method should of course always be combined with all the methods you mentioned ;)
KillVador
France #20: May 13, 2005
Thx for this wonderfull article, very usefull, I'll check all my php-based page !!!!!! ('Never Ever Trust User')
paulg
France #21: May 18, 2005
Nice one Dave. I read part 2 as well. RU planning a part 3? as previous poster said;
-suggest a scrubber
-explain why page.php?page=contactus.php should be replaced with page.php?p=1 and what the "relational" means in relational databases.(databases like numbers, numbers are easy to validate (int))

If you can you're a better man than me gungadin.
Hi Paul. Yes, part 3 is about half done. I've still got the rest of the php.ini guide to do though and that will probably be finished first. But yes, a Part 3 is on the way, as is "Writing Secure PHP, Securing the Client".
Somene mentioned passwords in connection strings in plain text and in fact I have seen this in many online examples and in some classes. I wonder if encrypting a password and storing it in a file to be read by a function and then decrypted might add some security?

When using Windows and .Net one should probably be using Windows Integrated Security obviating the need for passwords in connection strings. Just some food for thought.
I guess PHP does sometimes add slashes to posted stuff, but depends on the server. So I suggest you write

[php-code]
$password = addslashes(stripslashes($_POST['password']));
[/php-code]

to be sure you have escaped the string, but not escape the slashes added by PHP (or you get something like
"that\\\'s live"). 't Was frustrating for me to find out my testing environment didn't add slashes itself, but the other server did :(

stripslashes simpty removes the slashes added by addslashes
Or better:

<?php
if(!get_magic_quotes_gpc()){
$_POST['password'] = addslashes($_POST['password;]);
}
?>

Now backslashes that should to be in de password, are no longer removed.
Simon
New Zealand #26: July 19, 2005
Having a plain text password in a php file isn't a major issue: All you're doing is variable assignment:

$password = 'secret';

If the file is requested, then , this will be parsed by PHP and not shown to the user.

The problem comes when someone can read the source code due to local access (ssh, telnet, face-to-monitor, whatever). In this case, you're pretty much screwed anyway, and there are easier ways to break into your database than hunt through a few php files for a password string.

HOWEVER, one thing to keep in mind is that a lot of people store their database connection info. in an external file called something like dbconnect.inc

THIS is a huge problem - because if your webserver doesn't parse .inc files as php (and they don't by default), then a direct request for dbconnect.inc will send the file to the user as PLAIN TEXT.

--Simon
lamer
Russian Federation #27: July 22, 2005
Booloean expression

Username = '\' OR 1=1

is always true.
Dan
United Kingdom #28: July 22, 2005
Call me a dumbass or what ever but I neever seem to add an security to my input boxes for logins etc!

But now I have my current site I'm devloping (locally) is now secure!
J. Miguel
Brazil #29: October 2, 2005
Thanks from Brasil.
Another good way to stop a css on your db is nest your variables in a htmlentities()
Excellent stuff, and at a level the average PHP coder can under stand.
i'm currently writing my own CMS and i'm thinking alot about security because i feel that after time i think my site will be a gerat place for people to try to break stuff. i've read this page and a few others but this one as a main overal picture and decided to go about looking for information and found these two items here that i planned to use in my CMS. i planned to combine them to make a form filter class in various area of my app.

i think this is something that people should look into. XSS and injection. the XSS page actually has referances to look thru but i think it's a good place to start for tese topics specifically :D

http://www.phpclasses.org/browse/package/2189.html

http://www.phpclasses.org/browse/package/1341.html
Sage
Australia #33: January 23, 2006
Being new to php, this was a real eye opener!

I had already done my personal test site with a u/p + database and using the code provided here... I bypassed all my security :( (or what i thought was security). This has since been fixed due to the information provided.

i will be checking the site frequently as the information i have found here is clear and easy to understand.

Cheers and keep up the good work!

Sage
Sage: I'm glad to hear the tutorial was of use to you.

Everyone: Thankyou!
Great Article! I am definately going to read part 2
Most of it wasn't new to me. But in my case I had to gather this information all over the net. For anybody else this is a great cumulation of usefull information all on one place.

I still cannot find a print link or button!
Bj
Germany #36: May 5, 2006
Thanks, it's a very nice articel, even thought I did know the most of this errors. But it's always usefull for beginners ...
For your part about having index.php?page=.htpasswd...in my code, I use a switch selection to $_GET the current action on the page and always set the default to check for a login session. If the session is there, go to the main menu (which reads permissions from a database for that user to populat, so if that is a hacker, they see nothing), and if not logged in, drop back to the login page.

I tested out the code you had in your tutorial and it worked, so hopefully it'll work for others too.
Kim
Australia #38: June 20, 2006
Using an SQL statement that returns data like a password should be an absolute nono.
Using a statement like
'Select count(*) from users where username=' . mysql_real_escape($username) . ' and password = ' . mysql_real_escape($password)
Would return a number. That number should always be 1 if authenticated. Anything else would be invalid.

Never return more data than is absolutely necessary and never return the username/password combinations. Even in this simple example, the password should have been encrypted, especially if you host your site on a third party server.
wlw
United States #39: June 29, 2006
Great articles, what I could read of them, unfortunately, I couldn't get past the first page of any of them, the subsequent page links all returned to the first page. Worked that way with IE and Firefox. My bad?
Not your bad at all - mine. I made a couple of changes to the site affecting URLs, the idea being to ensure all articles are only accessible at a single URL, rather than multiple URLs as previously. Pagination, unfortunately, had a little bit of an issue with this. All fixed now.
About the problem with the link (http://mysite.com?page=home.html). You could solve that problem with a simple check. Imagine you have a directory where you store all pages. Simply by checking if that file exists in that given directory (ex. if(file_exists("pages/mypage.php")) ) and by giving an error message if case it does not and by using regexps on the value of the page variable will keep you safe.
Dan
United Kingdom #42: August 29, 2006
Good article w/ essential security info. Thanks!
sess
Unknown #43: December 4, 2006
that example with the
' OR 1=1 #
and its effect made me laugh a lot, i just installed apache+php and started learning php, I started looking for ways to do secure coding and found this site. Your article will help me a lot, thanks for the great info =D
Kevin
United States #44: December 10, 2006
Thanks alot. I have learned alot. I am currently developing a website that I hope to have up soon but my primary concern right now is learning as much as I can about PHP security before I do such. Your articles are great and I really appreciate clear, easy to understand information. In learning PHP, I've read php code by others and PHP tutorials without a clear understanding why certain things were done; but after reading this, now I can look back and realize that some of that code was a bad idea and unnecessary.
Will
United States #45: January 17, 2007
I strongly recommend immediately hashing your password whenever it reaches your script. Unless you intend to be working with fixed or readable passwords, I do not recommend you leave your passwords unhashed, either.

By hashing the password you will also automatically prevent an injection attempt. That way, if it doesn't match, the hack/user hasn't gained anything by trying to break your script!
Good article, but adding a few digits to a password doesn't make it safe from a dictionary attack. See http://www.schneier.com/blog/archives/2007/01/choosing_secure.html

"So the first attack PRTK performs is to test a dictionary of about 1,000 common passwords, things like "letmein," "password," "123456" and so on. Then it tests them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!" and so on. Believe it or not, it recovers about 24 percent of all passwords with these 100,000 combinations."
Thanks for this information. I've referred back to it a few times now, it's been very helpful. So thank you.
Not a bad thing to make us read ;)

I'm gonna read part 2 and 3 now
Lennart
Netherlands #49: May 20, 2007
Instead off addslashes works mysql_real_escape_string() better...perhaps that wasn't available yet when this article was written
Bruce
United States #50: June 10, 2007
Great website! Bookmarked! I am impressed at your work!
Tom
Unknown #51: July 26, 2007
after reading this i tested it on my own site with the sql injection and im happy to say that the injection did not work! but im still not taking any chances so i added the addslashes to my security class and will use it from now on for any additions to my database. Thank you very much and keep up the good work.
Another great article, thanks Dave.
I stumbled on this while looking for secure PHP coding info and found your advice very useful. I've been puttering around with PHP for quite a while, but haven't really added security to my toolchest. This article and the next two in the series were a great start.
Jonathan Story
Unknown #54: September 25, 2007
"Personally, I have a "PHP Security" sheet next to my desk with major points on, and this is in large bold text, right at the top."

Would love to see what you think are the "major points" - if you have a moment could you send them to me at jonathan6735[at]hotmail[dot]com

<3
I nearly gagged when I saw this:

"By checking for apostrophes in the items we enter into the database, and removing or neutralising them, we can prevent anyone from running their own SQL code on our database."

What if this is your query:
SELECT * FROM users WHERE id = $_GET['id']

It doesn't matter if this is escaped with addslashes, mysql_escape_string, mysql_real_escape_string, etc. If you enter "99 or union all select 0,0,0,0,0 from users", there is no slash to escape. This is a COMMON mistake and I can't believe no one has told you about this! The best method for handling strings may be addslashes or the like, but integers do not require quotations, thus your filtering system does not work.
Hex
United Kingdom #56: September 28, 2007
Why mysql_real_escape_string should be used rather than addslasshes:

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
david Graves
United States #57: November 10, 2007
This was a great article. I had an attack just two days ago and this helped me understand the attack and how to defend from it. I appreciate your taking the time to talk to us and share your knowledge.

I still have not located the print button??
Scott
United States #58: December 17, 2007
@#55:

QUOTED:
What if this is your query:
SELECT * FROM users WHERE id = $_GET['id']

It doesn't matter if this is escaped with addslashes, mysql_escape_string, mysql_real_escape_string, etc. If you enter "99 or union all select 0,0,0,0,0 from users", there is no slash to escape. This is a COMMON mistake and I can't believe no one has told you about this! The best method for handling strings may be addslashes or the like, but integers do not require quotations, thus your filtering system does not work.
END QUOTE

If your query had the single quotes around $_GET[id], you'd still be protected. Just because the data will be an integer, it doesn't mean you can't quote it, right?
A.
United Kingdom #59: January 11, 2008
Don't forget mysql_real_escape_string(), with it your script is protected against SQL injections. I even use it for session variables, you can never be too sure.

Great article by the way.
Adaptiv Media
Unknown #60: January 19, 2008
Thanks, the global variables section was a great help. Also grateful for your mod_rewrite article ;o)
zyber16
Estonia #61: January 28, 2008
Damn, I had that ' OR 1=1 # hole on my personal website, got it fixed thanks to this article :)
I am new to PHP and this was really helpful
Very nice article for new PHP developers.
mohamed rami
Germany #64: April 4, 2008
Thanks Alot for This Article ,its very
usefull
Decent list, but doesn't cover XSS, which is the most common exploit today.
Fix the SQL injection with the addslashes() function, easy fix. XSS is more difficult, but can be done with open source functions
thnx! you got great stuffs in here guys. learned a l0t
SQL injection is a serious problem, you can add additional checks:

$_GET['userid'] = str_replace("'", "", $_GET['userid']);
Remove all ' symbols from the userid string.

$_GET['userid'] = str_replace(" ", "", $_GET['userid']);
Remove all spaces from the userid string.

$_GET['userid'] = trim( htmlspecialchars(addslashes($_GET['userid'])) );
Returns a string with backslashes before special characters and change special character (for example from & to &amp;

All these steps will prevent your website from running malicious SQL scripts.
Hi, I am project Manager and i delivered this blog to my PHP developer because i found great stuff.Thanks
You may want to write about the new PDO class in PHP which can sanitize SQL queries for you. It is useful to learn and a lot of languages use similar features.
It's really a very good article. All the PHP learners should aware of these attacks. Thanks for the nice post.
This is a super site, especially this article on PHP security. I'm kind of an intermediate programmer in PHP and am just starting to learn about security. This was more comprehensive than all my searches of the previous 2-3 months! Would you believe I got to this site while searching for a regular expression cheat sheet! 2-in-1 :)

Post Your Comment

· Comments with keywords instead of a name have their URLs removed.
· Your email address will not be displayed or shared.

Live Comment Preview

Anonymous
United States #72: 1 minute ago