Tips to develop secured applications in PHP

January 27, 2017

PHP is one of the most popular programming languages for the web. It helps the developers program the finest of applications and create new benchmarks in mobile and web development. However, the biggest concern with developing a PHP application is that of security, making the development of secured PHP applications a major challenge, specially, for the amateurs. In this article, we will provide you with 3 major tips that help you avoid some common PHP security pitfalls and development.

Tip1: Appropriate Error Reporting is must

Application error reporting is very helpful during the development process. Error reports does not just help you find spelling mistakes in the variables but also catch hold of any incorrect function usage.

However, once the website goes live, the same reporting that helped you during development, can turn against the security of your application by telling the users much more about your website than you may want them to know (for example the information pertaining to the software being run and the folder structure etc.). Before the website goes live, you should ensure to eliminate all such errors to keep such sensitive information under cover. This can be done by writing following lines on our applications.


For any errors still occurring, we still feel the need to stay updated about these. So, we need to ensure that all our errors are logged to a protected file, which can be done using a PHP function called as set_error_handler.

Tip 2: It is advisable to disable PHP’s features no longer in use

From the beginning days of PHP, the PHP’s designers regularly went on to include some features that were intended to make development easier. Or at least they thought of making it so! Some of these supposedly helpful features could as well turn out to have undesirable consequences. We are calling these as “bad features” because these allow data validation and created a pathway for bugs to finding their way into scripts. This is the reason why we suggest you to disable some of these features as one of the first things to do at the time of beginning the development process.

Note: These features may or may not be turned off for your website based on your host. If you are developing on your own computer or other similar local environment, then these probably won’t be turned off. Some of these features have been eliminated in PHP6, but are still present in PHP4 applications and are eventually, deprecated from the PHP5 applications onwards.

Register Globals (register_globals)

‘register_globals’ was basically meant for helping rapid application development involving a query string. The ‘register_globals’ statement allows us to access the value with $var instead of $_GET[‘var’] automatically. This might sound useful to us, but unfortunately, all variables in the code now include this property, so, it is now easy to get into PHP applications that do not protect against such undesirable consequence. The code snippet below is just one common example we will see in PHP scripts:

if( !empty( $_POST[‘username’] ) && $_POST[‘username’] == ‘test’ && !empty( $_POST[‘password’] ) && $_POST[‘password’] == “test123” )
$access = true;

If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.While it is not possible to disable register_globals from the script side (using ini_set, like in the normal case), but an .htaccess file can be used to do this. Apart from this, some hosts allow us to have a php.ini file on the server as well to do this.

Disabling with .htaccess

php_flag register_globals 0

Disabling with php.ini

register_globals = Off

It should be noted that if we plan to use a custom php.ini file that is not applicable to the entire server, we must ensure to include these declarations in every sub folder having PHP.

Tip 3: Keep an eye on the Cross Site Scripting (XSS) Attacks in User Input

A web application generally takes inputs from the users to eventually display the same in one form or the other which may be any one of the wide variety including comments, blog posts or threads which are all basically in the form of HTML code. However, it is noteworthy that it can be risky for your application to allow HTML at the time of accepting inputs, since this leaves ample space for JavaScript to be executed in one of the many unexpected ways. And this even lets the cookies to get easily hijacked if even something really small remains unattended. The hijackers can then easily use this cookies data to fake a real account and attain illegal access to your website’s data. You can cover your website against such attacks by disallowing HTML altogether which eventually, also disables JavaScript to get executed. This however, may not always be a feasible option since this also disables formatting altogether, which may not be possible to do without, specially in case of a blog or a forum.

To resolve this issue, you can have HTML mostly disabled except for some simple formatting allowed. This can be achieved by allowing just a select few of the HTML tags (without attributes) for example “strong” tag or “em” tag. Or, simply a few popular tags like”BBCode” or “BB Tags” that are commonly written on forums in the format of [b]test[/b]. The BBCode can also be implemented using pre-existing packages like HTML_BBCodeParser or by writing our own BBCode implementation with regular expressions and a series of ‘preg_replace’ statements.


As a leading PHP development company , Carmatec offers end to end PHP development solutions based on cutting-edge technology, both front-end and back-end. In addition to contemporary style and design we work on maintaining interfaces simple and user friendly. Ease of use is our aim even in complex website functionalities.