Jean-Christian Imbeault wrote:

> I'm writing my first commercial site and of course I am thinking about 
> security. I'm worried about someone using a flaw in my PHP script 
> logic to access information they shouldn't.
> I've read the PHP books I have and Googled around but can't quite find 
> specific answers to my questions about PHP and security.
> In general how does one go about hardening a PHP script. i.e. making 
> it as "hacker-proof" as possible

I'm sure you'll get a lot of responses to this including various 
opinions, so this will be short and a bit vague.

The most important thing you can do as a developer is:

1. Never, ever trust data from the client

That is the main thing you should focus on. There are many different 
methods of "cleaning" or "filtering" data from the client, and all of 
these have these key characteristics:

1. They make sure the data contains acceptable characters (rather than 
attempting to make sure it does *not* contain unacceptable characters - 
very important distinction).
2. They employ a strict naming convention that clearly identifies which 
data has/has not been filtered. For example, assign $clean_blah=$blah 
when you have found $blah to be acceptable. In order for this to be 
useful, you should never accept any data from the client that has a name 
beginning with "clean_", and you should only use the clean variables in 
queries or logical statements that affect access or any other critical 

Along these lines, you should never make any assumptions in your 
scripts. For example, if you have a variable that can only have three 
possible values, don't do [if, elseif, else], rather do [if, elseif, 

Also, make sure you intialize all variables you are depending on. In 
adhering to the golden rule mentioned above (Never, ever trust data from 
the client), you need to make sure you don't accidentally accept data 
from the client and think it is something that you set. People might try 
to include rogue variables in the URL, post their own forms to various 
URLs in your application, etc.

Basically, if you code very carefully and deliberately, you will create 
a very secure application. Many people focus only on securing the 
environment, but writing secure code is often much more important.

Hope that helps give you some ideas.


PHP General Mailing List (
To unsubscribe, visit:

Reply via email to