Home » Php » What security issues should I look out for in PHP

What security issues should I look out for in PHP

Posted by: admin April 23, 2020 Leave a comment


I just starting out learning PHP, I’ve been developing web apps in ASP.Net for a long time. I was wondering if there are any PHP specific security mistakes that I should be looking out for.

So, my question is what are the top security tips that every PHP developer should know?

Please keep it to one tip per answer so people can vote up/down effectively.

How to&Answers:

(In no particular order)

  1. Always check that register globals are OFF
  2. Always check that magic quotes are OFF
  3. Make sure you understand SQL injection attacks
  4. Turn OFF error reporting in production

EDIT: For the “newbies” out there this is a basic why (and since I have time to explain this):

  1. Register globals is an aberration. It’s the ultimate security hole ever. For example, if register_globals is on, the url http://www.yourdomain.com/foo.php?isAdmin=1 will declare $isAdmin as a global variable with no code required. I don’t know why this “feature” has made it’s way to PHP, but the people behind this should have the following tattooed on their forehead: “I invented PHP Register Globals” so we can flee them like pest when we see them!

  2. Magic quotes is another dumb idea that has made it’s way to PHP. Basically, when ON PHP will escape quotes automatically (‘ become \’ and ” become \”) to help with SQL injection attacks. The concept is not bad (help avoid injection attacks), but escaping all GET, POST and COOKIE values make your code so much complex (for example, have to unescape everytime when displaying and data). Plus if one day you switch this setting OFF without doing any change to your code, all your code and/or data is broken and (even more) vulnerable to injection attacks (yes even when ON you are vulnerable).

  3. Your databse data is your most valuable thing on your site. You don’t want people to mess with it, so protect yourself and read things about it and code with this in mind.

  4. Again this can lead to security concerns. The error message can give hints to hackes on how your code works. Also these messages don’t mean anything to your visitors, so why show them?


Avoid using register_globals.

Warning: This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.



here is a link of good PHP security programming practices.


Most of the security issues revolve around user input (naturally) and making sure they don’t screw you over. Always make sure you validate your input.



  1. Always sanitize and validate data passed from the page
  2. In conjunction with #1, always properly escape your output
  3. Always turn display_errors off in production
  4. If using a DB backend use a driver that supports/emulates prepared statements and use without prejudice 🙂


don’t use “Register Global Variables” and filter user input for xss and injections


Language Vs Programmer. You can write the most serious vulnerability and you won’t get a warning or error message. Vulnerabilities can be as simple as adding or removing 2 characters in your code. There are hundreds of different types of vulnerabilities that affect PHP applications. Most people think of XSS and Sql Injection because they are the most popular.

Read the OWASP top 10.


If you’re using a mysql database make sure you call mysql_real_escape_string when sending data to the database


There are tons of safety precautions. I can recommend a book Chris Shiflett: PHP and Web Application Security.



Have a look at the Suhosin Hardening Patch, and check out the security vulnerabilities that it addresses.


The PHPSec Guide gives a good overview.


Most of the security issues related to PHP come from using unparsed “outside” (GET/POST/COOKIE) variables. People put that kind of data directly into file paths or sql queries, resulting in file leakage or sql injections.


OWASP provides a lot of insight into security issues that are the biggest problems in applications today. It is nice to see that they have a PHP dedicated page available



  1. Always Close you SQL Connection.
  2. Always Release SQL results.
  3. Always Scrub all variables your putting into a database.
  4. When deleteing or dropping from sql use limit 1 just in case.
  5. When developing make sure you have a lock on things to keep the undesirable out. If its open and you know not to load the page right now because it could break something, doesn’t mean other people do.
  6. Never use Admin or Root as your server log in name.


Whenever possible, use prepared statements (tutorial. It’s almost a must whenever dealing with user input (I say “almost” because there are a few use cases where they don’t work), and even when not dealing with input, they keep you in the habit. Not to mention they can lead to better performance, and are a LOT easier, once you get into the swing of things, than piecemeal sanitizing.


Often introductory tutorials don’t talk at all about checking data from users. Like all programming environments, never trust the data you get from users. Learn to use functions like is_numeric(), isset(), and mysql_real_escape_string() to protect your system.

There are also features that allow you to access remote files, and other creative things. I’d avoid those until you have a good understand of how and when they work (often they are disabled for security reasons).


Use POST method for data passing from one page to another.

Use trim while getting data like trim($_POST).
Also, use strip_tags for variables before you passing into the queries.

I am suggesting you use any framework link Codeigniter, Laravel, YII, Cake PHP because they maid framework with all securities

I suggest Codeigniter for small projects and Laravel for big projects.


Always use POST and not GET for important Data…