No matter what PHP project you start, you should always code with security in mind. There alre lots of PHP security tips out there but here is your first Top 10 PHP Web Application Security Rules you should never break.
Most application security vulnerabilities apply to PHP applications just like other environments. You can write robust, secure and fast web applications using PHP as long as you use a few basic security coding standards. Here are the first 10 Rules you should never break.
1. Use HTML_Safe (or a similar javascript stripping library) to check for and remove javascript when you’re accepting data that will be output to a page.
2. Check every $_SERVER['GET'] and $_SERVER['POST'] variable for validity.Every web site has url like “dosomething.php?id=3″. Make sure that id you’re accepting is actually a number (or whatever type you’re allowing).
3. Escape strings before sending to the database. Not doing so leaves you wide open to SQL injection.
4. Make sure display_errors, magic_quotes, and register globals are all off. Log the errors to the error_log instead.
5. Update often. If you have root access, don’t fall to far behind in stable releases. Bugs are fixed all the time.
6. Do not blindly send mail to the address entered in a form. It’s easy for someone to perform header injection and spam thousands of people before you’ll even notice.
7. Use a firewall/iptables. Turn off all ports you aren’t using.Especially mysql's 3306 TCP port.
8. Cookies can be abused. Do not write any sensitive data to a cookie. I thought this was obvious but I’ve seen it enough where I throw it in the list.
9. Mind the robots. Don’t put senstive directories in robots.txt as your only security. Instead, use passwords to protect your admin areas.
10. Backup your stuff offsite. Have the offsite computer connect to the server to download the backup, not the other way around.
Re: Your First 10 PHP Security Rules. Don’t Break Them.