The latest articles on DEV Community by Rashida rollno50gc (@rashida_rollno50gc_14da62). https://dev.to/rashida_rollno50gc_14da62 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3917875%2F651cb828-69e1-462f-9a6e-a545af5527e2.png https://dev.to/rashida_rollno50gc_14da62 en Rashida rollno50gc Thu, 07 May 2026 12:30:27 +0000 https://dev.to/rashida_rollno50gc_14da62/5-critical-security-mistakes-php-beginners-make-in-2026-and-how-to-fix-them-47fn https://dev.to/rashida_rollno50gc_14da62/5-critical-security-mistakes-php-beginners-make-in-2026-and-how-to-fix-them-47fn <p>When I started learning PHP, I thought security was something "advanced" developers worried about. I was wrong.</p> <p>Here are 5 mistakes I made in my first projects that almost got my clients hacked. If you're a PHP beginner in 2026, avoid these:</p> <p><em>1. Trusting User Input - The #1 Sin</em> ❌</p> <p><em>Mistake:</em> Using <code>$_GET</code> or <code>$_POST</code> directly in SQL queries.<br> $id = $_GET['id']; <br> mysql_query("SELECT * FROM users WHERE id = $id");</p> <p><em>Why it's deadly:</em> A hacker can type <code>1; DROP TABLE users--</code> in the URL and delete your whole database. This is called SQL Injection.</p> <p><em>Fix in 2026:</em> Always use Prepared Statements with PDO.<br> $stmt = $pdo-&gt;prepare("SELECT * FROM users WHERE id = ?");<br> $stmt-&gt;execute([$id]);</p> <p><em>2. Storing Passwords as Plain Text</em> ❌</p> <p><em>Mistake:</em> Saving passwords directly like <code>password123</code> in the database.</p> <p><em>Why it's deadly:</em> If your database leaks, every user's password is exposed. Hackers will try that password on Gmail, Facebook, everything.</p> <p><em>Fix in 2026:</em> Use <code>password_hash()</code> and <code>password_verify()</code>. PHP does the heavy lifting.<br> // When user signs up:<br> $hashed = password_hash($password, PASSWORD_DEFAULT);</p> <p>// When user logs in:<br> if(password_verify($password, $hashed)) { echo "Welcome!"; }</p> <p><em>3. Showing All Errors to Users</em> ❌</p> <p><em>Mistake:</em> Keeping <code>display_errors = On</code> on a live website.</p> <p><em>Why it's deadly:</em> Error messages reveal your folder structure, database names, and code. It's a treasure map for hackers.</p> <p><em>Fix in 2026:</em> In your <code>php.ini</code> for production:<br> display_errors = Off<br> log_errors = On</p> <p><em>4. Not Validating File Uploads</em> ❌</p> <p><em>Mistake:</em> Letting users upload any file without checking.</p> <p><em>Why it's deadly:</em> A hacker can upload <code>hack.php</code> instead of <code>photo.jpg</code> and take control of your entire server.</p> <p><em>Fix in 2026:</em> Check MIME type, extension, and rename the file. Never trust the filename.</p> <p><em>5. Using Old PHP Versions</em> ❌</p> <p><em>Mistake:</em> Running PHP 5.6 or 7.4 in 2026.</p> <p><em>Why it's deadly:</em> Old versions have known security holes that are no longer patched. It's like leaving your house door open.</p> <p><em>Fix in 2026:</em> Use PHP 8.2 or 8.3. Hosting companies like Hostinger let you switch in 1 click.</p> <p><em>Conclusion:</em><br> Security isn't scary. It's just a habit. Start with these 5 fixes and you'll be ahead of 90% of beginners.</p> <p>What security mistake did you make when you started? Let me know in the comments! 👇</p> <p><em>I'm Rashida, a CS student from Pakistan. I write about PHP and web security for beginners. Follow me for more practical tips.</em></p> php webdev security beginners