Following are the points to be considered for making safe php application.
- USE PDO or mysqli
- Never trust user inputs. Consider every variable viz $_POST, $_GET, $_COOKIE, $_SESSION, $_SERVER as if they were tainted. Use appropriate filtering measure for these variables.
- To avoid XSS attack use php’s builtin functions htmlentities, strip_tags, etc while inserting the user input data into the database.
- Disable Register Globals in PHP.INI
- Disable “allow_url_fopen” in PHP.INI
- Don’t allow user to input more data than required. Validate input to allow max number of characters. Also validate each field for relevant datatypes.
- Disable error reporting after Development period. It might give information about database that’ll be useful to hackers.
- Use one time token while posting a form. If token exist and matches the form post is valid otherwise invalid.
- Use parametrized database queries
- Use stored procedures
You can google for each point for more details. HOpe this helps
Resource: http://stackoverflow.com/questions/11839523/secure-against-sql-injection-pdo-mysqli