Writing secure code


Using PHP features that are known to be exploitable or non-secure can lead to remote code execution or weak cryptography. As a developer, you should avoid using features that introduce vulnerabilities in your code.

PHP functions to avoid

The following is a list of PHP functions that are known to be vulnerable and exploitable. Avoid using these functions in your code.

Standard PHP library classes to avoid

  • ArrayObject - Using ArrayObject class is not recommended because it contains unserialize method, which attackers can use to create an exploit.

    If you need to use the ArrayObject class, override the serialize/unserialize methods so that they use secure logic. Convert objects into arrays to serialize them, and reconstruct the objects using arrays during unserialization.

    You can use json_encode/json_decode PHP functions for a secure way of serializing/unserializing data.