What are some good tips/ways to help keep my PHP app secure? Basically just wanting to compile a solid list of "must do's" for PHP security.
1) Avoid SQL-Injection 2) Do not save passwords in cookies (unless encrypted) 3) Use session() if possible. It is much safer and easier to implement. (I can't think of any others right now...)
Here a few more suggestions: Check all user input data to make sure it is the type and length expected. Do not pass user submitted data to a command line. Debug your code on a test server with full error reporting turned on. Log and fix all errors, no matter how insignificant. Initialize all variables to safe, default values. Limit the use of global variables, pass local values to your functions and return the results. Do not allow support scripts to be directly called from the internet. Place all scripts and libraries which do not need to be in the website directory in a directory outside the website so that they cannot be accidentally called.
SQL injections most of the time can be prevented by using the addslashes(str) function. MD5/encrypt all your passwords stored in cookies. Some choose to additionally encrypt passwords in their SQL databases, however I don't feel this is necessary since it's password protected anyway. As long as your SQL password is strong, it isn't necessary. Stay away from register_globals. I used it alot in the beginning of my development stages, however it can turn out for the worse. I've hacked my own scripts before because of a mistake of not using $_POST, $_GET, and $_COOKIE varibles, just relying on regiser_globals - I'd recommend just turning it off in your php config if you have access.