PHP Security: Introduction

devmazee2057282 profile image dewbiez Updated on ・2 min read

Often, these days vulnerabilities are still being found in web applications. PHP has a pretty bad reputation regarding security, including one of the most popular frameworks WordPress. It's not to say making applications without vulnerabilities is easy- or that it's possible. But we really should try harder.

Us as PHP developers, need to make sure our data is safe from attackers. We need to stop this nonsense. And it's a big issue, big companies and businesses are continuing to be exploited and breached because of their security. I believe one of the big companies recently had a database breach, and they looked like they were stored with base64 and either sha1 or md5 hashing. I don't recall which company this was.

But remember, hashing, encryption, is only a small part of keeping your applications secure. You also have SQL injection, cross-site scripting, session hijacking, remote file inclusion, cross-site request forgeries.

And that's to name a few off the top of my head. There's a lot to cover in web application security.

You can start off with PHP The Right Way, and PHP Delusions. They're great, especially for beginners(at least I think so).

Let's get real.

That stuff up there? Those links? Their information? It's absolutely great! It really is. It's basic, more of a baseline. A starting point, if you will.


They make open-source software, for PHP security!

Their blog is amazing! However, they're not well known. They really should be though. So why don't you help with that? Once you're convinced they're amazing, start recommending their posts, and them in general.

They cover a lot of things. If you wanna get serious about web application security, I highly recommend you bookmark that page, follow them on Twitter, and keep an eye out for any future blog posts.

Don't forget to go through their archives. There is a lot of stuff there.

Psst! They're on here too.

paragoniescott image

Come on, let's make our web more secure! If you wanna post any links in the comments regarding security, please do so!

Extra Links

Next Article


Editor guide

PHP Security 101: Don't use PHP


PHP isn't secure by design. But this isn't about choosing a different language. :)


I remember when they took variables from index.php?var=value and assigned $var automatically.

That was bad, but it was also 17 years ago.

These days most of PHP security issues come from interacting with other technologies, not from PHP itself.

That was bad, but it was also 17 years ago.

Sadly, that doesn't matter if people will just parrot what other people said instead of properly learning a language and forming their own opinion.

I believe the fighting / pushing back comes down to mostly outside factors.

I'm sure between two of us, as "competing" PHP framework developers, we could have a civilised debate and come up with scenarios where Laravel is good to use, and where it's not so good to use, and where CodeIgniter is good to use, or not as good to use.

But add a deadline with real project to the mix, and suddenly it's not about "ideal scenario" anymore. Now it's about knowing that you can do X amount in Y days with Z setup.

If there's supporting articles for your choice of tools, and loads of negative about all the alternatives, it's much easier to convince your boss to go with your preference.

So I believe most developer fights are really about just wanting to make more positive noise about their own toolset, and also some want to make loads of negative noise about competing frameworks / languages / technology.


PHP isn't secure by design.

Examples to back this statement up?

I don't think PHP's secure by design, because they allow developers to be vulnerable by some of PHP's defaults. And actually Pert Soomann pointed one of them out.

Although I don't believe that's an issue in new versions of PHP.

And now-a-days I believe it's mostly developers' fault for insecure PHP applications. Especially since PHP-7.2.x ships with lobsodium for cryptography, htmlentities for XSS protection, filter_var for both validating and sanitizing variables(I don't see many apps use this though).


The problem is between chair and table


The Paragonie people's blog loads CSS and JavaScript from Google's servers for no technical reason whatsoever - and of course they also use Google Analytics. I am not convinced that they care about privacy - why should I trust them on security?


But just because they use Google, doesn't mean their content is bad in terms of security. You're possibly being skeptical at this point.

I understand what you're getting at though. If someone is serious about security and privacy, they wouldn't be using Google anything.


You're possibly being skeptical at this point.

A long, painful journey lies behind me ... :-)


I don't know. shrug

Their posts are really good though, at least I think.