How to Write Secure PHP Code

Last week, I wrote about a few things you need to know about securing your PHP installations. I also pointed to several sites that offer good information about what to look out for and what configuration changes you might need to make. If you missed that article, you can read it on our Web site at the URL below.

If you have PHP installed, then obviously you're going to run PHP code. Some of that code might be written by third-party developers and some of it you might write yourself. Either way, you should learn about secure coding practices for PHP. Doing so can help you write better code and help you audit third-party code for potential problems.

As an example of why the latter is important, be sure to read my blog article "Gaping Hole in Wordpress" (you can link to it from the GIVE AND TAKE section of this newsletter below) to learn about how someone slipped some "back doors" into Wordpress, which is a hugely popular PHP-based blogging platform. You can write simple scripts that audit third-party code to look for potential back doors by scanning the code for any or all of the dangerous functions I discussed last week.

To help you write your own secure PHP code, I went looking for resources and found several decent Web sites that provide writing aid and some tools that look for coding vulnerabilities. The sites at the URLs below are a big help, so take some time to study them carefully. If you know of any others, send me a message with a URL and I'll share it here in the newsletter for everyone's benefit.

Secure Programming in PHP

PHP - Secure coding

Secure Programming for Linux and Unix HOWTO, Chapter 10, Language-Specific Issues, 10.8 PHP (this pertains to Windows also)

PHP Security Consortium's PHP Security Guide

PHP Input Filter (Developer Shed's Network, PHP Scripts)

SecurePHP Wiki

PHP Top 5 (security problems extracted from SANS Top 20 list)

Top 10 ways to crash PHP

Chorizo! Web Application Security Scanner

PHP Security Scanner

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.