[taslayer]

What To Look For

Identify pages which display text entered by untrusted users.
Possible Fixes or Improvements

*

Before you save it or before you display it escape HTML appropriately . You can use PHP's built-in functions htmlspecialchars or htmlentities for this purpose.
*

If you want untrusted users to use HTML for formatting, you should perform validation to restrict the available HTML tags to a basic tags set, like and .

Further Ideas

Part two will feature five more security checks for PHP.
In the meantime, here are three ideas to keep in mind as you design your application.

*

Encrypt or use hashes of passwords when storing them (PHP's md5 function is useful for this)
*

Do not store credit card numbers: it is generally better to use a third-party payment gateway instead
*

Enforce strong passwords. Password strength requirements vary from application to application, but consider, at a minimum, enforcing passwords that are at least six characters long and contain some non-alphanumeric characters.