UltraMega Blog

5 Basic PHP Security Tips

Security should be a top concern throughout the development of any PHP web application. There are some very simple measures you can take to protect your application from potential abuse. This post will cover some of the basics of PHP security. For more detailed explanations of good security practices, check out the PHP Security Guide.

I do not consider myself a PHP security expert, but these are things that every developer should know. Also keep in mind that security is a process and not a result.


Using MySQL Prepared Statements in PHP

Prepared statements in MySQL are an alternative to writing raw SQL code to execute. Instead, you write a statement with placeholders (?) where you want variable to go, then attach variables to those placeholders.

A prepared statement is basically a template that can be reused with different variables. There are some benefits and drawbacks to prepared statements that should be considered:


  • Prevents SQL injection without needing to escape data
  • Allows you to repeat the same statement without the overhead of parsing the SQL
  • Allows you to send raw binary data in packets
  • Creates code that is easier to read by separating SQL logic from data


  • Slower for one time queries since it requires two requests from the MySQL server
  • Placeholders can only be used for values and not table/column names

Conclusion: I'd say prepared statements win due to security benefits alone

PHP supports MySQL prepared statements using the Mysqli (MySQL Improved) extension in PHP 5 via the MySQLi_STMT class. They are fairly easy to use once you get used to the differences from writing raw SQL statements. This tutorial will explain how to use prepared statements.


Easy Text Validation Without Regular Expressions

Filtering data from user input and other external sources is the most important part of writing secure code, but it's also handy to make sure users supply the correct type of info to a registration form for example. Sometimes it's simply making sure something is a number or of a certain length, but other times it's something that follows a specific pattern (like an email address). This used to be a job for complex regular expressions, but fortunately, there is an easier and more reliable solution.

PHP 5.2.0 and up comes with a very convenient set of data filtering functions. These functions allow you to easily validate common things such as emails and URLs, that would otherwise require complex regular expressions that don't always work. This tutorial will focus on the simplest function filter_var().


Creating a CAPTCHA in PHP with GD

A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a system designed to test if input is originating from a human or a computer. The most common method, which you have probably seen, is displaying an image containing distorted text and asking the user to type in the text. It is difficult for a computer to read it and relatively easy for humans, so it is assumed that a correct answer must have originated from a human. This is a tool used to prevent automated spam.

Anyway, this tutorial will explain how to make your own CAPTCHA like the one below using PHP and the bundled GD image manipulation library. This is the method I use on many projects, and it does the job. Keep in mind that there are stronger CAPTCHA systems available if you want to block the more motivated spammers.


Strong Passwords

Passwords are the most common way to restrict access to user or administrator accounts online. This means that a security system is only as strong as it's password, so a good password is essential if you want to keep motivated individuals out.

A strong password consists of letters (both cases), numbers, and other symbols. The strongest passwords have all of these in a random combination. The weakest passwords are ones that follow patterns, or worse, use words found in the dictionary.

The strongest passwords tend to be computer generated, and a great place to find strong passwords is at GRC's Ultra High Security Password Generator.