PHP is reasonably secure but it is a good idea to be aware of some issues. This page assumes your server is up to date and therefore does not suffer from some of the old issues such as register_globals or session hijacking.  Most security risks result from the user trying to break your scripts so here are some things you can do to prevent that.

Never trust user data

You have learned how to receive data from forms, cookies or by using $_GET.  Any data from those can be edited by the user.  They could put text in which is PHP or SQL code.  If your pages use that data in if statements or SQL queries the user code may do unexpected things.  There are some specific examples below but anything the user can edit is dangerous:

  • forms (post data) are easily used as the user only needs to type into them
  • $_GET data is almost as easy to change as it is up in the URL (Web address)
  • cookie data or local data is held on the client computer so can be edited by anyone who knows where the file/database is and how to write to it

Precautions and prevention

The next few pages give you some important preventative measures.  They have not been used in the example code so far because your sites are assumed not to be public.  However, if you have any public sites you need to start doing this stuff now.

Things not to worry about

  • register_globals is an old setting which is no longer accepted by servers
  • eval is another outdated thing and should never be used as it is so dangerous
  • mail is a useful function which is perfectly safe now but once was not so ignore the outdated advice to avoid it and just make sure you make data you pass to mail() as you would with any user data (explained next)