There is some articles about the security of web application.The article title is “Why there are a lot of security holes in PHP applications.” But the articles are described how to avoid security hole on your web apps. It’s more conceptual than PHP specific know how.
I pick up some points from these articles.
There are 2 ways to prevent SQL injection according to the article.
- Escape all variables
- Execute all query as prepared query
He reccomend to use prepared query.
There are 10 check items to prevent script injection (for PHP).
- Define default character code (default_charset) in HTTP header
- Verify character code against input values
- Have strict validation rule against input values
- Escape output strings as default
- Make sure that the output strings is safe if you output the strings as is
- Do not allow any HTML tags in strip_tags()
- Do not use regular expression to parse HTML
- Verify strings with strict “white list” if you output HTML tags and/or attributes
- Verify strings with strict “white list” if you generate CSS dynamically with input values