Securing PHP – Approaches to Web Application security

The security of the web application bases on the security of the underlying layers, such as OS and application platform layers and the application itself. While the OS layer is beyond control of the PHP project, experience shows that the language is to assist developers in developing more secure code and running it in more secure manner. The majority of the problems in PHP applications is caused by the insecure application code [2], which may allow injecting untrusted data into the output (XSS[13]), database queries and other sensitive commands, running external code in the trusted context (remote include) or disclosing data that the user is not authorized to access. The challenge for the PHP language as a platform is both to provide tools for the developers to avoid such problems and for the site administrators to detect and prevent insecure code from doing harm. The following techniques were employed or researched in PHP, with varying success.