What Are The First 3 Things I Should Do To Secure My PHP Based Website?

PHP is a very controversial language.

It is basically the language of the web.

Most of the web sites that you see on the web are built by people using PHP but the controversy that surrounds PHP is because there are a lot of developers who feel that the language is not very good and that it has a lot of holes in it.


When a web site is built using PHP but does not follow the basic security practices that should be followed, then it is true, PHP sites can have a lot of holes in them.

As I said earlier, there are many ways that you can make sure that your PHP code does not have holes in it.

There are some basic industry practices that will help you prevent this.

So if you are someone who is a PHP developer or who occasionally just dabbles in it, then there are some rules that you can follow that will help make your code more secured.

Before we go any further, we should recognize that there are a lot of people who are reading this article that might not know what PHP is.

What Is PHP?

I will not get too technical but PHP is known as a server side language.

While HTML is used to present the UI or graphics of the web page, PHP is used to give the web page functionality from the server.

So if you need to store data from a web program, then you would use PHP to access the database.

Some people might confuse the programmability of Javascript with PHP.

JavaScript is only used to run code in the browser; PHP is used to access the server.

So now that you know what PHP is, let’s get back into talking about how we can secure it.

Securing PHP

The first thing that you want to do when you are writing PHP code is to make sure that no one is able to enter information into the site that they are not supposed to do – people are able to do serious damage when they are allowed to do that.

So the first function that I want to introduce you to is htmlentities.

This code will take an entry into a form and turn into its html equivalent.

So if someone is trying to write code that will mess up the web page, it will not work.

For example just putting this code <? Hello ?> into a form with htmlentities turns it into this – &lt;? Hello ?&gt;.

This way it turns potential dangerous code into simple HTML text.

Another function that will allow you to keep the code on your server safe is to use mysql_real_escape_string.

There are attacks that happen on the server called sql injection attacks and this piece code is designed to stop them from happening.

Placing this in your code will allow you to prevent your sql database from being corrupted.

The last function that I will discuss is called PHPINFO.

Unlike the other functions that I discussed, this function will allow your site to be more secured by removing it.

PHPINFO allows all of the aspects of the set up of your site to be seen by an attacker so make sure that you never keep a file with this function on the main root of your server.

If you do an attacker can find it and use it against you.

These are the three functions that will help your site stay secured.

There are many more but this is a good first step.

About Lee Munson

Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.


  1. […] though there are many people who complain about it, most of the software that you use on the web is run on PHP. Sometimes the PHP is only on the surface and there is another type of language software running on […]

  2. […] This post was mentioned on Twitter by Casey Ellis. Casey Ellis said: RT @Security_FAQs: What Are The First 3 Things I Should Do To Secure My PHP Based Website? http://bit.ly/h8Juqd […]

Speak Your Mind