For high-profile, mission-critical PHP applications, security is a paramount concern. Bad security solutions can compromise important servers and lead to the kind of privacy breaches that make news headlines. But for those of us writing more every-day PHP apps, security is still an important concern - especially for anyone who's new to the language. We'll take you through some basic considerations for securing your PHP applications, letting you rest a little bit easier once you finally put your app out into the wild.
One of the most important concerns for any app that accepts user input is validating said input, to ensure that it doesn't throw your app a curveball it can't handle - or worse. Frustratingly, the basic assumption should be that user input can't be trusted, as anything more lenient can leave gaping holes in your security. Many coders use Javascript to validate user input, but this is inherently flawed as users have the ability to disable Javascript, so ensure you validate in PHP.
When your code runs on a page that accepts and then displays user input, such as a comment thread system, bulletin board or similar, it's important to make sure that your application has screened out any possible malicious Javascript code or HTML tags present in the user input. Fortunately, PHP has two built-in functions that make this simple: strip_tags() and htmlentities(). These two can save you a great deal of hassle, so get in the habit of using them!
Everything, naturally, comes back to the user, but sometimes vulnerabilities can be unintentionally exposed by a user and shared with a malicious one - which makes proper error handling critical for the integrity of your security. Many developers hate dealing with this particular aspect of development when trying to get their code out the door in a hurry, but it's far better to invest the time now than to try explaining why you cut corners.
Finally, another important concern is the way your include files are handled. PHP code routinely references other PHP files, often for database access or regularly repeated code segments, which can be inadvertently displayed to the user as plaintext if not properly named. Any extension other than .php may not be parsed properly by a browser, leaving your code vulnerable, so always use the correct extension. To be doubly-safe, store your includes in a folder that doesn't have user access permissions.
This is only the tip of the iceberg when it comes to PHP security, but you can save yourself from a good many problems by following these simple practices.