Security should be a top priority in every PHP application. Here are essential best practices to keep your PHP code secure:
1. Input Validation and Sanitization
Always validate and sanitize user input:
$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$cleanString = htmlspecialchars($_POST['input'], ENT_QUOTES, 'UTF-8');
2. Password Handling
Use PHP’s built-in password hashing functions:
$hash = password_hash($password, PASSWORD_DEFAULT);
if (password_verify($input, $hash)) {
// Valid password
}
3. SQL Injection Prevention
Always use prepared statements with PDO or MySQLi:
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
$stmt->execute(['email' => $email]);
4. Cross-Site Scripting (XSS) Protection
Escape output properly:
echo htmlspecialchars($userContent, ENT_QUOTES, 'UTF-8');
5. CSRF Protection
Implement CSRF tokens for forms:
// Generate token
$_SESSION['csrf_token'] = bin2hex(random_bytes(32));
// In form
<input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
// Validate on submission
if (!hash_equals($_SESSION['csrf_token'], $_POST['csrf_token'])) {
die('CSRF validation failed');
}
6. Secure Session Handling
- Use secure and HttpOnly flags for cookies
- Regenerate session ID after login
- Set proper session timeout
Following these practices will significantly improve your application’s security posture.