PHP Security Essentials

This is a guest post by Fiona Gibson. If you are interested to guest post in this blog, just head over to the Guest Post Guidelines.


PHP is a great language for learning how to program; despite its simplicity it offers a wide range of possibilities for developing dynamic, database-driven websites. Unfortunately, many of PHP’s greatest strengths are also its greatest vulnerabilities. Since PHP pages can be made to get data from anywhere on the internet, the need for security is paramount. To be on the safe side, you should assume that your site is under constant attack – and it pretty much is.

Common misconceptions aside, you don’t need to be singled out by a malicious hacker who will try to get your computer to run malicious scripts. Most hackers simply troll huge blocks of IP addresses looking for easy victims.  Hackers can exploit mistakes to steal customer data or shut down a competitor’s site. To keep from joining the victims of these assaults, you’ll want to familiarize yourself with some of the basic best practices for PHP security. Although this list is by no means comprehensive, here are a few of the most important steps you can take to secure your PHP site (as well as the most common beginner blunders).

When uploading PHP based sites, it’s important to be aware of the risks of shared hosting. Many beginning PHP developers make the mistake of leaving their site info in the same directory as their data that is uploaded to the web. Even if you are only uploading sites to test in development, always be careful of what goes in your public HTML directory; be especially sure not to leave your PHP info file anywhere public as it can allow intruders to gain full access to your site. If that happens, the possibilities for disaster are nearly unlimited. Always put sensitive files in a separate directory and link to them if you need to.

When you create a form that users can submit, the data is transferred by one of two methods: POST and GET. In most cases, you will want to use the POST method of sending data because it is not directly visible to the user and therefore more secure. Keep in mind, though, that GET and POST are both public so be sure not to pass any sensitive information, such as keys and values that give away your directory structure, through them. It’s not difficult for users to manipulate or create their own http requests, so be sure your site is validating all data before allowing it to be inserted into a database.

PHP allows site authors to connect their apps to databases by means of a config.php file. It is extremely important that you NEVER put the config.php file directly in your web root directory. It stores the password data to access your database, and if someone manages to access it, then you’re in big trouble. Even so, the worst and most common hack you’ll have to protect yourself against when using PHP to access a SQL database is a SQL injection. This is where a hacker injects malicious SQL code into a query that was already embedded in your site, such as a form field. Your first line of defense against SQL injections should be by writing parametrized queries instead of dynamic queries. This requires the developer to define all code beforehand; so that open ended data such as “‘1’=’1’” cannot leave the site vulnerable.

Although this is by no means a comprehensive list of what you need to do to keep your PHP-created site secure, it should at least give you an idea of how some of the language’s main vulnerabilities can be exploited. Simply validating all user input, protecting your database and protecting against XSS vulnerabilities is not enough.

To make a truly secure site, you have to not only stay educated on the latest threats, but build security into your site from the beginning – don’t only think about how to defend your site, but how and why someone might attack it. Only when you start to integrate security into your site’s design as a fundamental building block and not just another item on your site’s checklist will you truly be able to stay a step ahead of hackers.


About the Author: Fiona Gibson is a computer specialist and software reviewer. She is also a contributor to web site, which provides antivirus software coupons such like Bitdefender, AVG promo etc.

Build Your Own Security
Subscribe to my newsletter and get a copy of my eBook for free.
We hate spam just as much as you

Related posts:

  1. Top 10 Security News of 2011
  2. How to Improve Web Application Security
  3. Microsoft Security Essentials: A Free But Powerful Antivirus Tool


  1. Aditya says:

    SQL injection threat is a matter of concern for Php Website Developers.And taking suitable measures to be safe should be taken in the beginning.
    Thanks for sharing this info …….
    Aditya recently posted..ERP CRM Softwares Solutions ProvidersMy Profile

  2. David

    Thks Fiona – I’m just learning about PHP – know ASP – but from years ago – and had issues with SQL injection — so thks for refresher and brush up – lots of great tips here — did not know about the security files and storing them out of the web root — thks heaps.
    David recently posted..Productive Network Marketing And The Value Of TeamworkMy Profile

Speak Your Mind


CommentLuv badge

This blog uses premium CommentLuv which allows you to put your keywords with your name if you have had 3 approved comments. Use your real name and then @ your keywords (maximum of 3)