PHP Security: Top 5 tips
Input data validation
1) input data validation is an integral part while developing an application. It is easy to hack your application if there is no data validation in place for user inputs. Make sure you validate the data executed by eval() if you ever want to use eval() in your code. This is a must thing to do when user generated content is executed by eval().
a) First thing to do is pass all variables through PHP’s htmlspecialchars() function. The result of htmlspecialchars() function is safe to be displayed on a page. The htmlspecialchars() function converts special characters to HTML entities.
b) Remove backslashes (\) from the user input data with the PHP stripslashes() function.
c) PHP 5.2 and later has a great function called filter_var for data validation. filter_var will sanitize and validate data. Read more about filter_var here.
Switch to PDO or MySQli
MySQL is the original extension designed to interact with MySQL database while developing PHP applications. It provides procedural interface and easier to understand. Since MySQL extension is deprecated as of PHP 5.5.0 all future development should use either PDO or MySQli. Even though MySQLi also offers a procedural API, PDO is most recommended due to its advanced features and database driver support.
Session variables stores information to be used across multiple pages. Use session variables to secure the pages that are accessible only by the logged in user.
Always use .PHP as extension.
If you use .inc, .conf etc as the file extension, the server will display the contents of the file instead of executing the code when called directly. This is dangerous if you have application configurations such as database logins in such files.
Turn off the error reporting once you are ready to make your application live. Many errors displayed by the server contains enough information for hackers to attack your application.