Web security is crucial in an open web sphere. Even though this particular aspect of vulnerability is subjective and might be not of paramount importance for many developers and web admins, a protected website is always desirable. The reason behind this is quite simple, “You never know what is out there”. On the other hand, this scripting language being both powerful and popular, is a hot target for gigs around the world who likes to mess around for fun. PHP has its own ways to make itself safe and secure, the only step that need to be forwarded is their application.
Reverse engineering has been always a free path way for hacking. Hackers target “loopholes” in the program structure and implementation. To start with, developers must know the venerable aspects of their programming structure that might be proven lackadaisical.
In PHP, the most common attack is the SQL Injection. If the hacker knows the table names, a value in the url could be used to enter a SQL fragment. This is devastating as files could be deleted, copied and upload once it is accessed. The best thing one could do to resist this is to migrate from MySQL extension to PDO. This will enable to create PDO statements to separate data from instructions.
This two forms of attack are among the most common ones. Therefore, never trust even an insider who can guess the table names of your database and never trust data from users or any third-party until they are proven harmless.