PHP Website Security: Basic and Easy Solution

Simplest solution to php website security is initializing variable before use, plus filter input and escape output. Filter all input coming from outside world and escape all output. Data can be user-supplied data (Ex. form data), URL data from get parameter, XML data when XML file is coming from other source, JSON data coming from other host or even data coming from database. Database is also external source to your php application.

Likewise escape all your output. Escaping all your output will save you from various attack- XSS attack and mysql injection attack are examples.

Simplest solution for PHP website security is initialize all variable, filter all input coming from any outside environment and escape all output. If you initialize all variables and take data from your known source then On or Off status of register_globals on your host generally not harm you.

Filter your URL data if it is going to be used for database query, file include, fopen and others. Select query parameter is also an output to your table. So escape the select query before use.

Filter any user-supplied data before use. If you expect certain type of data then check for the type or type cast it. Suppose you are using pagination then you may be using p=pageNo in URL. Just type casting it will increase you security and will save you from query error.

<?php
$page = (int)$_GET['p'];
or
settype ($_GET['p'], 'integer');
?>

Now, about initializing variables:
If register global is on then the string variable $str can be anything plus blah blah blah blah…. User can provide any data in url (?str=<string>alert(‘a’);</script>) and the php script will include that value in $str variable.

<?php
for ($I=0; $I<10; $I++) {
     $str .= $i ;
}
echo $str;
?>

Here variable $str is concatenating value inside loop - $str .= $i; is used. So, when variable $str is assigned a value initially then that will also be included in the $str variable's value.
$str will equals to "<string>alert(‘a’);</script>0123456789".
You see, even when register global is on, we can initialize our variable to empty ( = '') and avoid security issue, so that it cannot take any value from outside without our knowledge.