Advanced17 min read
Security & Best Practices
Prevent OWASP top vulnerabilities with validation, prepared statements, output encoding, and secure password storage.
Input Validation and SQL Injection
Validate all input server-side regardless of client validation. Whitelist allowed values for enums and sort columns.
Prepared statements eliminate SQL injection for dynamic queries. ORMs still require caution with raw whereRaw fragments.
Escape output contextually: htmlspecialchars for HTML, json_encode for JavaScript embeds.
- Use CSP headers to mitigate XSS impact
- Disable dangerous functions in production php.ini if unused
- Run dependency security advisories composer audit
echo htmlspecialchars($userInput, ENT_QUOTES, 'UTF-8');
Passwords and Sessions
password_hash with PASSWORD_DEFAULT and password_verify handle bcrypt/argon2 upgrades automatically as PHP evolves.
Enforce MFA for admin panels. Lock accounts after repeated failed logins with exponential backoff.
Store session data server-side; treat session IDs as secrets over HTTPS only.
- Never log passwords or tokens
- Invalidate all sessions on password reset
- Use timing-safe comparisons hash_equals for tokens
$hash = password_hash($password, PASSWORD_DEFAULT);
if (password_verify($password, $hash)) { /* login */ }