- Vulnerable to SQL Injection (sql-vuln example 1, sql-vuln example 2). A request to a specially-crafted URL can cause arbitrary (and possibly destructive) changes to the database.
- Cross-site Scripting/XSS vulnerabilities (cross-site scripting example 1). Interpolating variables directly into HTML can create cross-site-scripting vulnerabilities, particularly if the values of those variables come from the database or user-generated content (malicious data could be inserted via an SQL Injection or by inserting unsanitized form input directly into database).
- Hard-coded Secrets/tokens for third-party services (hard-coded secret example 1, hard-coded secret example 2, hard-coded secret example 3). These are subject to change and should be in configuration.
- Poor / little error handling (error handling example 1). When errors occur they should be logged for later review. The application should handle the situation in an appropriate way to avoid disruption to the user, eg: retry task, display explanation.
- HTML generation mixed with unrelated application logic, this can result in unexpected issues that are very hard to debug.
The examples above are not an exhaustive list of issues. The entire codebase needs to be inspected for other occurences of these issues.
Examples of popular recommended PHP frameworks:
Application frameworks provide many benefits:
- Encourages/enforces secure-by-default idioms:
- Input sanitization & validation (protection from cross-site scripting (XSS))
- Secure database access (protection from SQL injections)
- Secure form submissions (protection from cross-site request forgeries (CSRF))
- Standard & secure methods of handling common web application tasks, eg:
- HTTP request/response handling
- Cookies & session management
- User authentication
- URL path routing
- Database queries and management
- Use HTML templating system
- Form creation & submission handling
- Interacting with filesystem, eg: user uploads
- Consistent & organized source code layout improves maintainability and easier for new people to pick up and contribute
See Create your own PHP Framework for more info (but still use a ready-made framework!).
Templating systems allow you to seperate your HTML generation from your application logic. Most will also provide escaping and sanitization to help prevent XSS vulnerabilities.
Twig is a popular templating system for PHP.
Follow recommendations outlined in "The Twelve-Factor App"
The Twelve-Factor App is a set of recommendations produced by developers at Heroku with the intent of formalizing the industry-standard best-practices for building modern web applications & software.