Security Best Practices

Security Best Practices

SQL Injection Prevention

Always use prepared statements:

// ✅ CORRECT
$stmt = $db->prepare("SELECT * FROM users WHERE id = ?");
$stmt->bind_param("i", $userId);
$stmt->execute();

// ❌ WRONG
$query = "SELECT * FROM users WHERE id = " . $userId;

XSS Prevention

Always escape output:

// ✅ CORRECT
echo e($userInput);

// ❌ WRONG
echo $userInput;

Authentication

• Always verify user authentication before processing requests
• Check user permissions for sensitive operations
• Use session-based authentication
• Implement proper logout functionality

Input Validation

• Validate all user input
• Sanitize data before database operations
• Use type checking and validation functions
• Implement CSRF protection on forms

File Upload Security

• Validate file types and sizes
• Generate safe filenames
• Store uploads outside web root when possible
• Scan uploaded files for malware

HTTPS

Always use HTTPS in production. Never transmit sensitive data over HTTP.