OWASP - PHP Top 5 Security Vulnerabilities
http://www.owasp.org/index.php/PHP_Top_5
That site has tips on security vulnerabilities, here is a quick list of pointers from that article.
- Remote Code Execution
- Don’t Use user input in Include, Require or Eval
- Cross-site scripting
- Don’t use register_globals
- If outputting User Submitted Values, sanitize first using htmlentities
- Avoid $_REQUEST use $_GET or $_POST
- Validate Values ie use is_numeric or check string length
- use urlencode when adding variables to a query string
- SQL Injection
- Validate Data prior to use in SQL Statements - ie is_numeric
- When possible use PDO or another Database Abstraction Layer combined with prepared statements at the very least use escape strings ( Avoid addslashes() as it isn’t adequate )
- File system attacks
- Ensure that all variables are properly initialized prior to first use
- Ensure that the users can only affect file operations to the degree you had in mind
- Try to move secrets and logs out of the web root if at all possible – see the references on “Shared Hosting” by Chris Shiflett