Home/ Questions/Q 7535133
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-30T06:14:19+00:00

Let’s say I have a website where PHP 5.3 is installed every output is

  • 0

Let’s say I have a website where

  • PHP 5.3 is installed
  • every output is htmlspecialchars()ed.
  • PDO and prepared statements are the only way to interact with the database
  • error_reporting() is off
  • every request is passed to index.php (front controller) and no direct file access is allowed except for index.php via .htaccess
  • every input is properly escaped (why should I? i use Prepared statements, how could an user input mess up with my code?)
  • there’s no use of evil()

Is it considered safe? What other things could be fixed to improve security? How could you attack it? Hack it? PHP/Server side is possible to improve security?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Check this page : PHP Security Guide. Most attacks are documented. If after implementing these security checks, you’re still hacked, there are high chances that the problem doesn’t come from your PHP application.

    By the way, as @Jacco stated, there is some wrong stuff on the article I linked to.

    1. Use prepared statements instead of mysql_real_escape_string(), but you already did that.
    2. About salting, follow this answer instead : https://stackoverflow.com/a/401684/851498
    3. Finally, checking [‘type’] (for file upload) is unsafe since a malicious user can change this value. Instead, see the suggested solution of this link : http://www.acunetix.com/websitesecurity/upload-forms-threat.htm
    • 0