Secure PHP: SQL Injection, Upload Security, and Session Hardening
Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.
By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read
PHP powers a massive portion of the web, and its security reputation reflects years of poorly written tutorials more than any inherent language flaw. Modern PHP with proper practices is defensible. The problem is that legacy patterns persist everywhere, and most PHP codebases mix old and new approaches.
SQL Injection Prevention
PDO with prepared statements eliminates SQL injection when used correctly:
“php $stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email'); $stmt->execute(['email' => $userEmail]); $user = $stmt->fetch(); `
The failure mode: using PDO but still concatenating strings for table names, column names, or ORDER BY clauses. These cannot be parameterized. Whitelist valid values:
`php`
$allowedColumns = ['name', 'email', 'created_at'];
$column = in_array($sortColumn, $allowedColumns) ? $sortColumn : 'created_at';
$stmt = $pdo->query("SELECT * FROM users ORDER BY {$column}");
If you use an ORM like Eloquent or Doctrine, raw queries and whereRaw() reintroduce injection risk. Audit every raw query call.
File Upload Security
File uploads are one of the highest-risk features in any PHP application. Attackers upload PHP shells disguised as images and achieve remote code execution.
Validate file type by content, not extension. Use finfo_file() to check MIME types:
`php`
$finfo = finfo_open(FILEINFO_MIME_TYPE);
$mimeType = finfo_file($finfo, $_FILES['upload']['tmp_name']);
$allowed = ['image/jpeg', 'image/png', 'image/gif'];
if (!in_array($mimeType, $allowed)) {
die('Invalid file type');
}
Store uploads outside the web root. If that is not possible, configure the upload directory to deny PHP execution:
`apache`
php_admin_flag engine off
Rename uploaded files to random strings. Never use the original filename — it can contain path traversal sequences like ../../. Set file permissions to 0644 so uploaded files are not executable.
Session Hardening
Configure session settings in php.ini or at runtime:
`php`
ini_set('session.cookie_httponly', 1);
ini_set('session.cookie_secure', 1);
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.use_strict_mode', 1);
ini_set('session.use_only_cookies', 1);
Regenerate session IDs after authentication to prevent session fixation:
`php`
session_regenerate_id(true); // true deletes the old session
Set session.use_strict_mode to reject uninitialized session IDs. Without it, an attacker can set a session cookie in the victim's browser and wait for them to authenticate.
Framework-Specific Security
Laravel: Use the built-in CSRF protection (@csrf in forms). Eloquent is safe by default, but DB::raw() is not. Validate all input with Form Requests. Enable APP_DEBUG=false in production — debug mode leaks environment variables, database credentials, and full stack traces.
Symfony: Use the Security component for authentication. Twig auto-escapes output, but |raw filter bypasses it. Use the Validator component for input validation. Configure firewalls explicitly — the default dev firewall disables security entirely.
WordPress: Keep core, themes, and plugins updated. Use $wpdb->prepare() for all database queries. Never trust $_GET, $_POST, or $_REQUEST without sanitization using sanitize_text_field(), absint(), or wp_kses()`.
Related Career Paths
PHP security skills are directly relevant to the Application Security Expert career path. A large portion of web application assessments involve PHP codebases, especially WordPress and Laravel applications.
Next Steps
- Test your PHP security knowledge with the skills assessment
- Explore the skills library for web application security fundamentals
- Use the coaching tool to plan your path toward application security expertise
Related Guides in This Series
- Secure Coding in .NET: Input Validation, Auth, and CSRF Defense — HADESS | 2026
- Secure Java/Spring Development: From Config to Defense — HADESS | 2026
- Secure JavaScript: XSS, CSP, and Dependency Safety — HADESS | 2026
Take the Next Step
Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.
See your certification roadmap. Check out the see your certification roadmap.
Get started free — Create your HADESS account and access all career tools.
Frequently Asked Questions
How long does it take to learn this skill?
Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.
Do I need certifications for this skill?
Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.
What career paths use this skill?
Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.
—
HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.
