On the Techie Talks blog today there's a post from Idrish Laxmidhar with a few simple reminders of things you can do to help with the basic security of your PHP applications, mostly surrounding filtering and escaping.
The list includes some of the basics like:
- Avoiding $_REQUEST when possible because of the ambiguity of where the information could come from
- Keep register_globals off (thankfully a default!)
- Checking values for specific data types before using them
- Filtering user input
- Disabling the error output (turning down the reporting levels) on a production environment