Secure your PHP code

February 2017

  • It is crucial to ensure secure data from users (forms and urls etc) apart from the OS server and http server mainly because of web attack.
  • There are 3 categories to secure your php code:

Validating the data users

When the site offers forms allowing users to capture and send content, this is not sufficient to indicate the format of entries (e-mail address, telephone number, quantity of products)The server also should be monitored (eg PHP) if the data are conventional to our expectation. Taking whole numbers into consideration, convert all the data sent by the user:

<? $number_of_articles= intval($_REQUEST['number_of_articles']); ?>

Validate data from URL or Forms

Almost all data received are from the URL or forms that the webmaster has set up. Almost all URL display parameters specifying as below:

This parameter should however not be modified. But this is possible as below :
  • It is crucial to check out whether the format received through the URL or form is expected whatever the types of data.
  • You can use the function filter_input() to verify same.
  • For example, if you received an email from a user from the format post with field name as email. You can recover same by :

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);  
    // The email address entry is indeed a mail address format  


This function can filter many things: IP address, URL etc. There can be modifications like encoding string before sending through URL as process by htmlentities().
  • Several filters can be combined using "|".
  • To validate an ip addresse only under Ipv4 format:

$ip = filter_input(INPUT_GET, 'ip', FILTER_VALIDATE_IP | FILTER_FLAG_IPV4);
Click on the following link for filters:

Skip displayed content of the URL

When the content entered by the user is displayed on the screen it contains HTML or JavaScript code which however makes protection compulsory.
If the content to be displayed in html: you must HTMLencode the setting to convert all characters in equivalent HTML entities. Below is the php function to automate this process:
echo htmlentities($_REQUEST['content']);

If the content should be displayed in a URL: you must urlencode the content.

PHP has two functions to do this encoding: urlencode () and rawurlencode (). The difference between these two functions is the encoding of an area, which in the first function gives and provides %20 and "+" in the second.

echo ''.urlencode($_REQUEST['value']);

If the content should be stored in a database: it is necessary to escape all characters with a specific role in the database server used. For PHP and MySQL, the function mysql_escape_string () makes all potentially harmful characters in the string passed as parameter.

$query = 'SELECT id FROM matable WHERE user="'.mysql_escape_string($_REQUEST['user']).'"';

Note that the server is configured with PHP option magic_quotes, data transmitted by users are automatically protected with backslashes (backslash). Thus, prior to protect mysql_escape_string, you should "undo" this basic protection:

$query = 'SELECT id FROM mytable WHERE user="'.stripslashes(mysql_escape_string($_REQUEST['user'])).'"';


Published by deri58. Latest update on May 7, 2011 at 06:52 AM by deri58.
This document, titled "Secure your PHP code," is available under the Creative Commons license. Any copy, reuse, or modification of the content should be sufficiently credited to CCM (