PHP stores a lot of its configuration data in what are called environment variables. These can be easily accessed from your code if you need to find out what the settings are. Environment Variables

Register Globals was deprecated and eventually removed from PHP because it allows ANY variables in your PHP to be able to be overridden by values passed by someone trying to break your script. While just copying any passed GET or POST values to the appropriate variables gets your code working once you turn Register Globals [...]

Static HTML pages is fine for a small site that only has a handful of pages but as your site grows bigger the ability to incorporate common elements into all the pages in a way that can be easily amended for all pages at once becomes more important. This can be achieved using server side [...]

In this article we consider the security aspects of what might happen if someone is able to access and run any of our includes independently of the web pages they are normally included in. Prevent Includes Running Separately

Creating a calendar to put into your web page becomes a whole lot easier if you use a server side script to generate the table tags for you. Here’s one that you can either build into your page to generate calendars dynamically or which you can alternatively use just to generate the HTML that you [...]

One possible cause for problems if you use relative addresses to link your pages on your web site together is “relative to what?” Depending on where you have the reference and how you define it you may or may not get what you expect. Figuring out how to get your relative links working correctly is [...]

While you can avoid the whole issue of messages about data being reposted by using a browser that doesn’t produce those messages and avoid any issues if data is posted again by coding the receiving script to identify it and handle it appropriately, that doesn’t resolve things for those visitors to your site who are [...]

One often looked for feature that people want to be able to add to their web pages is a form on the page allowing their visitors to “tell a friend” about the page by sending them an email linking to that page. This short tutorial shows some HTML and PHP code that you can add [...]

Here we look at one specific instance of how to make your PHP more secure. If you remember back to the first article about tainted data you’ll remember we looked at how to filter and sanitise data before we move it from global variables into local ones so that we know that the local variables [...]

The fifth of my introductory articles on PHP security looks at usability and how you always need to trade off usability for security and vice versa. It is all a matter of choosing the relative importance of each. Security and Usability

Just because you validate data when it is input does not mean that the data in your database is valid when you process it later. Someone may have found a way to insert something into your database using a path you overlooked. By sanitising the data again when you retrieve it you can ensure that [...]

If you don’t give any part of your PHP script any more access than it actually needs in order to do what it is supposed to do then you limit the opportunity for someone to compromise your system if they do get around your security Least Privilege