PHP security introduction

by - posted

PHP security introductionThis is an article about my PHP security introduction document. In this document, I will cover security basics for PHP programmers, Web server characteristics, how to secure on the application level and I will also describe some common attacks.

About the document

The goal of the PHP security introduction document is to show PHP junior programmers the tip of the iceberg of PHP security.  This is not a complete description of all actual known attacks/vulnerabilities and what you can do against them. The idea is to show you the whole picture in order to give you a good basis so that you can understand how things are working together.


To get an overview of the whole picture, have a look at the basic elements while a PHP application is running. When you start thinking about PHP security, it’s a good approach to make you familiar with general security measures and language specific measures. Then you have to learn how a basic element works and how it can be secured. Finally you have to know the most common attacks and learn how to parry them. This will complete your basic PHP security skills !

Security basics

The security basics part covers general security measures like : code and application structure, testing, input validation, output filtering and so on. We discuss language specific measures like : the  life cycle and scope of variables, input validation and sanitizing, output filtering, initializing variables, error output, The PHP function include() , and The PHP function eval(). You will find code examples in the PDF document.

The basic building blocks

This is maybe a special approach, but I find it logically to describe the involved elements while running a Web application. This will give you the whole understanding in what is going on and what you have to look at, while securing. The basic building blocks are going from the user (yes, the user is the first element in the security line) to the input/output data via the browser (cookies, HTTP, session) to the Web server.

The Web server details

The Web server is an important element to secure, because it is the “house” of your Web application. All Web server layers have to be secured, namely : the operating system, the Apache Web server and the PHP interpreter.

The application level and securing elements

In this part, you will learn how to secure a form, a database and the login mechanism. I describe the securing elements like : access control and authorization as well as logging and Captchas.

The final parts

In the final parts, I describe CSS and CSRF as well as Web cache poisoning and what to do against them. In the look-up chapter you have the list of the PHP functions used in this document, the directives and links as well as a checklist.

If you want detailed information, you can get my PDF document for free, no e-mail required for downloading, no marketing tricks – It’s just FREE for download.
Click on PHP security introduction to start the download.

If you enjoyed this article, you can :
– get post updates by connecting to our RSS feed
– get post updates by subscribing to our e-mail list
– share on social media :

Leave a comment