DEV Community

Cover image for The ultimate PHP security checklist
Sqreen for Sqreen

Posted on • Originally published at sqreen.io

The ultimate PHP security checklist

Read the full checklist here

Damn, but security is hard. It’s not always obvious what needs doing, and the payoffs of good security are at best obscure. Who is surprised when it falls off our priority lists?

This security checklist aims to give developers a list of PHP security best practices they can follow to help improve the security of their code.

Here is a selection of some of the security checklist items:

Filter and Validate All Data

Regardless of where the data comes from, whether that’s a configuration file, server environment, GET and POST, or anywhere else, do not trust it. Filter and validate it! Do this by using one of the available libraries, such as zend-inputfilter.

Read more:

Use Parameterized Queries

To avoid SQL injection attacks, never concatenate or interpolate SQL strings with external data. Use parameterized queries instead and prepared statements. These can be used with vendor-specific libraries or by using PDO.

Learn more:

Set open_basedir

The open_basedir directive limits the files that PHP can access to the filesystem from the open_basedir directory and downward. No files or directories outside of that directory can be accessed. That way, if malicious users attempt to access sensitive files, such as /etc/passwd, access will be denied.

Read more:

Check Your SSL / TLS Configurations

Ensure that your server’s SSL/TLS configuration is up to date and correctly configured, and isn’t using weak ciphers, outdated versions of TLS, valid security certificates without weak keys, etc, by scanning it regularly.

Read more:

Check out the full checklist here

Discussion (0)