Example

XSS attacks are manifold: Don't trust $PHP_SELF Stripping XSS is difficult, there are many many attacks PHP input filter is a PHP script that attempts to address some XSS attacks.

It’s better to use built-in session management functions included in PHP for secure and standardized session management. Possible security problems might occur if the server is not configured well for storing session information. A common situation is when session contents are stored in files readable by all users that have an account on the web server (the classical /tmp directory). It’s best to store sessions in a database or in a part of the file system where only trusted users have access. Other security risk situations involve session IDs, and the fact that they can be discovered by sniffers. For this reason session-specific traffic should be sent over SSL connection. PHP doesn’t need special configuration but the web server does (Apache).

Keeping up to date the PHP server with the latest patches and security problems is recommended. Also automatic PHP source display handler (AddType application/x-httpd-php-source .phps) should be used carefully, since it lets users see the code of the scripts. From the two php.ini files that come with the distribution, the site configuration should be built based on php.ini-recommended, instead of php.ini-dist.

Cross-site scripting occurs when the scripts display unfiltered information to a browser. Command injection occurs when passing unfiltered, unescaped malicious commands to external applications or databases. So it’s advisable, in addition to input validations, to always escape user input before passing to other external processes or applications (databases). Other problems occur when passing user input to a shell (exec(), system() commands). There are many operations that don’t need something else that PHP can’t do. If it’s absolutely necessary to filter the inputs using escapeshellcmd() for program names and arguments with escapeshellarg() (escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands), and escapeshellcmd() (adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument).

with a full code sample

Using PHP With SQLite

PHP has different regular expression functions for different regular expression schemas: ereg for posix and preg for perl regex. preg requires the PCRE library. See more about Perl regular expressions. ereg doesn't require any libraries. See more details about PHP POSIX regex A useful resource for testing regular expressions is http://regexlib.com/RETester.aspx

A detailed manual on PHP security