PHP Security Best Practices

Secure PHP applications — prevent SQL injection, XSS, CSRF, password hashing, input validation, and security headers.

45 min•By Priygop Team•Last updated: Feb 2026

PHP Security

SQL Injection Prevention: NEVER concatenate user input into SQL queries. Use prepared statements: $stmt = $pdo->prepare('SELECT * FROM users WHERE id = :id'); $stmt->execute(['id' => $input]). Eloquent/PDO do this automatically
XSS Prevention: Always escape output — htmlspecialchars($input, ENT_QUOTES, 'UTF-8'). Blade's {{ }} auto-escapes. Use {!! !!} only for trusted HTML. Content Security Policy headers block inline scripts
CSRF Protection: Include CSRF token in every form — Laravel's @csrf directive. Verify with VerifyCsrfToken middleware. Token stored in session, validated on POST/PUT/DELETE requests
Password Security: password_hash($password, PASSWORD_ARGON2ID) — never store plain text or MD5/SHA. password_verify($input, $hash) for login. Argon2id is the current best algorithm
Input Validation: Validate ALL user input — Laravel: $request->validate(['email' => 'required|email|unique:users', 'age' => 'integer|min:18']). Filter and sanitize before use
Security Headers: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Strict-Transport-Security: max-age=31536000 — prevent MIME sniffing, clickjacking, and force HTTPS

Try It Yourself: MVC Pattern Demo

Try It Yourself: MVC Pattern DemoHTML

HTML Editor

✓ ValidTab = 2 spaces

<!DOCTYPE html>
<html><head>
<style>
  body { font-family: Arial, sans-serif; padding: 20px; background: #fdf4ff; }
  h2 { color: #a21caf; }
  .card { background: white; padding: 20px; border-radius: 10px; box-shadow: 0 2px 6px rgba(0,0,0,0.1); max-width: 550px; margin: 12px 0; }
  .layer { padding: 12px; border-radius: 8px; margin: 8px 0; }
  .model { background: #fce7f3; border-left: 4px solid #ec4899; }
  .view { background: #e0e7ff; border-left: 4px solid #6366f1; }
  .controller { background: #dcfce7; border-left: 4px solid #22c55e; }
  code { background: #f1f5f9; padding: 2px 6px; border-radius: 4px; font-size: 13px; }
  input { width: 100%; padding: 8px; border: 2px solid #e5e7eb; border-radius: 6px; margin: 4px 0; box-sizing: border-box; }
  button { background: #a21caf; color: white; border: none; padding: 8px 16px; border-radius: 6px; cursor: pointer; margin: 4px; }
  #output { background: #fafaf9; padding: 12px; border-radius: 6px; font-family: monospace; font-size: 13px; margin-top: 8px; min-height: 60px; }
</style></head><body>
<div class="card">
  <h2>🏗️ MVC Pattern Demo</h2>
  <div class="layer model"><strong>📦 Model</strong> — Data & business logic</div>
  <div class="layer view"><strong>🖥️ View</strong> — What the user sees</div>
  <div class="layer controller"><strong>⚙️ Controller</strong> — Handles user input</div>
  <input id="item" placeholder="Add a task (e.g., Learn Laravel)" />
  <button onclick="controller.add()">Add Task</button>
  <button onclick="controller.clear()">Clear All</button>
  <div id="output"></div>
</div>
<script>
const model = { tasks: ['Learn PHP basics', 'Study MVC pattern'], add(t){ this.tasks.push(t); }, clear(){ this.tasks = []; } };
const view = { render(tasks){ document.getElementById('output').innerHTML = tasks.length ? tasks.map((t,i) => (i+1)+'. '+t).join('<br />') : '(empty)'; } };
const controller = { add(){ const v=document.getElementById('item').value; if(v){model.add(v);document.getElementById('item').value='';} view.render(model.tasks); }, clear(){ model.clear(); view.render(model.tasks); } };
view.render(model.tasks);
</script></body></html>

<!DOCTYPE html>
<html><head>
<style>
  body { font-family: Arial, sans-serif; padding: 20px; background: #fdf4ff; }
  h2 { color: #a21caf; }
  .card { background: white; padding: 20px; border-radius: 10px; box-shadow: 0 2px 6px rgba(0,0,0,0.1); max-width: 550px; margin: 12px 0; }
  .layer { padding: 12px; border-radius: 8px; margin: 8px 0; }
  .model { background: #fce7f3; border-left: 4px solid #ec4899; }
  .view { background: #e0e7ff; border-left: 4px solid #6366f1; }
  .controller { background: #dcfce7; border-left: 4px solid #22c55e; }
  code { background: #f1f5f9; padding: 2px 6px; border-radius: 4px; font-size: 13px; }
  input { width: 100%; padding: 8px; border: 2px solid #e5e7eb; border-radius: 6px; margin: 4px 0; box-sizing: border-box; }
  button { background: #a21caf; color: white; border: none; padding: 8px 16px; border-radius: 6px; cursor: pointer; margin: 4px; }
  #output { background: #fafaf9; padding: 12px; border-radius: 6px; font-family: monospace; font-size: 13px; margin-top: 8px; min-height: 60px; }
</style></head><body>
<div class="card">
  <h2>🏗️ MVC Pattern Demo</h2>
  <div class="layer model"><strong>📦 Model</strong> — Data & business logic</div>
  <div class="layer view"><strong>🖥️ View</strong> — What the user sees</div>
  <div class="layer controller"><strong>⚙️ Controller</strong> — Handles user input</div>
  <input id="item" placeholder="Add a task (e.g., Learn Laravel)" />
  <button onclick="controller.add()">Add Task</button>
  <button onclick="controller.clear()">Clear All</button>
  <div id="output"></div>
</div>
<script>
const model = { tasks: ['Learn PHP basics', 'Study MVC pattern'], add(t){ this.tasks.push(t); }, clear(){ this.tasks = []; } };
const view = { render(tasks){ document.getElementById('output').innerHTML = tasks.length ? tasks.map((t,i) => (i+1)+'. '+t).join('<br>') : '(empty)'; } };
const controller = { add(){ const v=document.getElementById('item').value; if(v){model.add(v);document.getElementById('item').value='';} view.render(model.tasks); }, clear(){ model.clear(); view.render(model.tasks); } };
view.render(model.tasks);
</script></body></html>

Result

Click ▶ Run to see the result

Edit the code on the left, then click Run

HTML|31 lines|2137 chars|✓ Valid syntax

UTF-8

Quick Quiz — PHP & Laravel

Next Module →