Coding secure PHP at a basic level.

I am hoping to do a series on how to program safe and secure code in PHP. This can get quite involved and very complex, so it is important to have a good grounding in what is good practice for secure code. This article will serve as pre-tutorial to the rest of the series and all that is contained in it should be know by an experienced PHP programmer. If you are a beginner or wanting to brush up on the basics, this tutorial is for you.

• Do NOT rely on register_globals. It is recommended to program with register_globals set to off in you php.ini

• Initialize variables before you use them. This will help stop malicious users from setting a condition through query strings.

• Validate and purify all inputed data. This is a MUST for all user input forms.

• Avoid using variables for included filenames Example: include($file); this is dangerous as the malicious user could find a hole to call upon another file that could be used further larger holes.

• Change the default session directory to something less obvious, or store your session data in a database.

• Learn to use strip_tags and filter functions.

• Turn display errors off, when a site is live. You do not want to let users see potential weaknesses.

• Program with errors on, you need to be aware of potential risks.

• Secure your code from possible SQL injection by using functions such as msqli_real_escape_data()

• Do NOT keep any phpinfo() scripts on your server!

There you have it, the most basic of things to remember when creating secure code. I hope you read my future series about writing secure PHP.

Thanks for reading!