Tip

[Tip#64] Do you know the difference between `e()`, `htmlspecialchars()`, & `htmlentities()`? Can we just use `e()` for everything?
[Tip#63] PHP includes a some really handy security-focused functions, but you need to know how to use them correctly, or you risk leaving a significant…
[Tip#62] Search engines like to snoop on all of your files, so be careful what you leave lying around.
[Tip#61] While it's tempting to throw everything into logs, keep in mind where your logs end up → plain text files, 3rd party collectors, passed around…
[Tip#60] Stack traces are essential for debugging complex (and even simple) issues, but there is a risk that something sensitive might be exposed within…
[Tip#59] It may seem obvious, you'd be surprised just how often I come across websites where debug mode is enabled!
6
[Tip#58] It's time to upgrade your bcrypt rounds to 12 (or higher)!
1
[Tip#57] You've heard about SQL Injection and Cross-Site Scripting but what about another big injection avenue: Command Injection? It's less common but…
[Tip#56] It may be tempting to compare keys/sensitive strings using `===`, or even `==`, but that opens you up to timing attacks! You should be using a…
3
[Tip#55] Let's look at my old buddy time(), who always has something for me during my audits. This time it's helping avoid filename collisions?
[Tip#54] Don't leave domains (or subdomains) pointing at servers or nameservers you don't control, or you might get a copy of the email I just received…
7
[Tip#53] Accepting File Uploads from your users is always a risky proposal, but have you considered just how easily uploaded files can be used to bypass…