Safeguard
Tag

php-security

Safeguard articles tagged "php-security" — guides, analysis, and best practices for software supply chain and application security.

19 articles

Container Security

Hardening PHP-FPM and Apache Container Images

PHP containers ship with defaults built for compatibility, not security. Opcache settings, disabled functions, and process ownership close the gaps.

Jul 11, 20266 min read
Application Security

Preventing open redirect vulnerabilities in Laravel

Laravel's own ->away() helper is documented as a bypass of its URL safety checks — feed it user input and you've built an open redirect, CWE-601, into the framework's happy path.

Jul 8, 20266 min read
Application Security

PHP code security fundamentals: injection, deserialization, and file inclusion

PHP still powers over 70% of server-side websites, and its three oldest vulnerability classes — injection, deserialization, and file inclusion — remain the most common findings in 2026.

Jul 8, 20267 min read
Application Security

PHP Laravel security best practices

One line, `protected $guarded = [];`, can turn a Laravel signup form into an admin-account minting machine — here's how to lock down five real Laravel risk areas.

Jul 7, 20266 min read
Security Guides

Laravel Security Best Practices: Mass Assignment, Blade, and Debug Mode

Laravel's defaults are solid, but $guarded misuse, {!! !!} in Blade, and APP_DEBUG=true in production have all led to real compromises. Here's the fix.

Jul 4, 20265 min read
Software Supply Chain Security

Laravel Lang supply chain advisory

A leaked PAT let attackers rewrite 700+ git tags across four Laravel-Lang packages, planting a credential stealer that ran on every PHP request.

Jul 1, 20267 min read
Application Security

PHP security best practices guide

A practical PHP security best practices guide covering SQL injection, deserialization RCE, upload hardening, dependency risk, and real exploited CVEs like CVE-2024-4577.

May 27, 20268 min read
Application Security

Securing Laravel PHP applications

CVE-2021-3129, leaked APP_KEYs, and Eloquent mass assignment still compromise Laravel apps in 2026 — here's how each attack works and how to close it.

May 20, 20267 min read
Industry Analysis

PHP Security Explained

PHP still runs ~74% of the web. From the 2024 PHP-CGI RCE to WordPress plugin flaws, here's what actually breaks PHP apps in production.

Feb 23, 20268 min read
Open Source Security

Composer Arbitrary Code Execution via Platform Config Han...

CVE-2021-41116 let malicious composer.json platform config values inject PHP code into Composer autoload files, causing code execution on install.

Nov 30, 20257 min read
Supply Chain Attacks

The Six-Month PEAR go-pear.phar Installer Compromise

How a single tampered PEAR go-pear.phar installer sat undetected on pear.php.net for months, what it could do, and what the PHP ecosystem learned about supply chain trust.

Nov 19, 20257 min read
Open Source Security

Packagist typosquatting report

A report on Packagist typosquatting campaigns targeting Composer/PHP packages, how attackers exploit install hooks, and how to detect them.

Nov 13, 20257 min read
php-security — Safeguard Blog