Hi,

since certain security vulnerabilities are so common that you have to start almost every reply with the same warnings and explanations, I thought it makes sense to collect all the info in a kind of “FAQ”.

The links below point directly to the particular issues, so you can use them in your replies if you want to.

Feedback would be great! I’ll happily rectify my mistakes.


This is not a tutorial on web security, because it doesn’t cover things like file permissions or configuring the webserver. It’s only a list of common mistakes within PHP code. For more detailed and comprehensive info, check the OWASP.


1. Don’t insert raw values into query strings.

2. Don’t output raw values or insert them into the HTML page.

3. Don’t display internal error messages.

4. Don’t store passwords as plaintext or weak hashes (MD5, SHA-2 etc.).

5. Don’t allow actions solely based on the login status.

6. Don’t use weak random numbers for critical procedures.