* Understand how HTTP works (sounds trivial for a PHP developer, but at least here in Brazil, a huge portion doesn't do)
* ALWAYS keep php.ini with production settings and replicate the same into your development environment (Vagrant is a great option here)
* ALWAYS keep Apache or Nginx configs in sync among every environment
* NEVER trust $_SERVER['REMOTE_ADDR'] to get client ips when you are behind a Load Balancer (most modern frameworks already treat this, but make sure you are parsing it correctly)
* ALWAYS use `realpath` when you are symlinking folders
* Be REALLY careful when using `setlocale` for something, specially with numbers
* 2 basic things about Cookies: use `HttpOnly` flag whenever possible AND `Secure` flag when behind SSL
* Make sure the Database library uses PDO in its core
* Every service runs in UTC timezone (PHP, DB, OS etc). Offset calculations just for presentation or input (when explicitly necessary)
* Don't use $_POST and $_GET globals directly
* Support other methods (DELETE, PATCH, etc) by parsing the Request body properly
Personal tips:
* Use Composer
* Use Twig
* Use a nice Request/Response handler (Symfony2's HttpFoundation, for instance)
I am sure I forgot many things here, one day I compile a list with everything I've been through.
Another nice Request/Response handler is Guzzle[1], which is what Amazon's AWS-API library uses. Guzzle's easy support of parallel HTTP requests is really nice.
If they aren't sanitized or validated they can generate exceptions or contain malicious data which leads to XSS or SQL injection after they've been reflected back to the user or added to a database. Since the values in these arrays come from the user, they should always be considered actively hostile and treated as such.
Ah, gotcha. So, treat them like they're "tainted", in perl parlance.
I was thinking that remark was intended more along the lines of "never use $_GET and $_POST directly, only ever access them via something like Symfony's sfWebRequest::getGetParameter/getParameterHolder/etc", which struck me as a bit overzealous as such rules go.
Yeah, just make sure somewhere you're doing all the checking (type, length, character set, providing sane defaults, etc.) that other languages probably do for you.
Because users are evil and want to destroy you and PHP is only too happy to help them... :\
General tips:
* Understand how HTTP works (sounds trivial for a PHP developer, but at least here in Brazil, a huge portion doesn't do)
* ALWAYS keep php.ini with production settings and replicate the same into your development environment (Vagrant is a great option here)
* ALWAYS keep Apache or Nginx configs in sync among every environment
* NEVER trust $_SERVER['REMOTE_ADDR'] to get client ips when you are behind a Load Balancer (most modern frameworks already treat this, but make sure you are parsing it correctly)
* ALWAYS use `realpath` when you are symlinking folders
* Be REALLY careful when using `setlocale` for something, specially with numbers
* 2 basic things about Cookies: use `HttpOnly` flag whenever possible AND `Secure` flag when behind SSL
* Make sure the Database library uses PDO in its core
* Every service runs in UTC timezone (PHP, DB, OS etc). Offset calculations just for presentation or input (when explicitly necessary)
* Don't use $_POST and $_GET globals directly
* Support other methods (DELETE, PATCH, etc) by parsing the Request body properly
Personal tips:
* Use Composer
* Use Twig
* Use a nice Request/Response handler (Symfony2's HttpFoundation, for instance)
I am sure I forgot many things here, one day I compile a list with everything I've been through.
Hope it helps!
:)