Comments on: PHP Security Guide & Checklist for Websites and Web Applications – Bottom Line for Every Good PHP Developer

By: Anonymous

Anonymous — Mon, 02 Jan 2012 11:20:14 +0000

[...] [...]

By: rajesh singh

rajesh singh — Wed, 12 Oct 2011 06:00:58 +0000

thank you very much

i have got very important things about PHP from you thank you, thank you and thank you

By: Sboniso

Sboniso — Wed, 31 Aug 2011 11:07:38 +0000

Thank you man. Now my application will be more secure.

By: Elumar

Elumar — Fri, 08 Apr 2011 03:43:36 +0000

This post is fantastic, thanks!

By: Jae

Jae — Fri, 10 Dec 2010 13:08:20 +0000

Excellent Post! This is exactly what I was looking for. Thanks for sharing!

By: Grace Roberts

Grace Roberts — Tue, 16 Nov 2010 16:32:29 +0000

This is awesome, thanks!

If any of you PHP geniuses are ever looking for PHP jobs check out http://www.technojobs.co.uk/jobs/php

By: R.J.

R.J. — Mon, 20 Sep 2010 13:25:19 +0000

Great summary of security threats and nice presentation of concepts. Thanks for sharing!

By: Panda

Panda — Wed, 01 Sep 2010 10:36:59 +0000

Fantastico Post!!!

God Bless !!

By: Links recomendados AVLog | AVLog - AgeValed

Links recomendados AVLog | AVLog - AgeValed — Fri, 16 Jul 2010 16:27:16 +0000

[...] PHP Security Guide & Checklist for Websites and Web Applications – Bottom Line for Every Good … [...]

By: Nicolas

Nicolas — Thu, 20 May 2010 15:28:34 +0000

Awesome post!
Exactly what every PHP programmer should know and follow, thanks for sharing your thoughts.

Nicolas.

By: Useful Security Pages | Toby's Development Blog

Useful Security Pages | Toby's Development Blog — Wed, 05 May 2010 08:43:18 +0000

[...] Web App security checklist [...]

By: Yang Yang

Yang Yang — Tue, 06 Apr 2010 15:41:34 +0000

Never use numerable values such as natural numbers to externally identify something though they are so easy to use in many cases. For example, better not use the ID of a record in any URL of your site. Instead, generate something that’s not numerable so the attackers cannot jeopardize your site by both knowing something about its internal structure thus fabricating operations by unexpected input values and committing exhaustion attacks by navigating through all possible combinations of URL.

By: Yang Yang

Yang Yang — Wed, 10 Mar 2010 03:58:45 +0000

Thanks for the very useful contribution. This guide serves as but a starting point of PHP security that doesn’t intend to elaborate on each of the practices for potentially unlimited scenarios.

But that’s for sure a really nice tip for escaping strings to be used in html attributes! Good lesson I’ve learnt. Thanks!

By: MugeSo

MugeSo — Wed, 10 Mar 2010 03:03:06 +0000

when you use escaped string as html attribute, you should supply 2nd argument to htmlentities, like:
htmlentities($str, ENT_QUOTES);
without 2nd argument, htmlentities won’t escape single quote.
see: http://php.net/htmlentities

And if you want to support i18n, the 3rd argument is also required.
without that, htmlentities treat input string as ISO-8859-1. So you must supply correct encoding.

By: Yang Yang

Yang Yang — Tue, 09 Mar 2010 07:26:33 +0000

Thanks, wensheng. :)