php-security
Safeguard articles tagged "php-security" — guides, analysis, and best practices for software supply chain and application security.
20 articles
Most vulnerable PHP frameworks report
A data-driven look at CVEs across Laravel, Symfony, CodeIgniter, Yii2 & ThinkPHP reveals which PHP frameworks carry the most real-world exploitation risk.
Laravel security vulnerability trends
A data-driven look at recurring Laravel vulnerability patterns — debug-mode RCE, APP_KEY leaks, and Composer supply chain risk — and how to defend against them.
Object Injection Vulnerabilities in PHP and Node.js
PHP's unserialize() and Node's insecure deserialization both let attackers forge objects and execute code. Here's how object injection works and how to stop it.
SQL Injection Prevention in PHP with Parameterized Queries
Parameterized queries stop SQL injection in PHP by separating code from data. Here's how PDO and MySQLi prepared statements work, and where they still fail.
Path Traversal Prevention in PHP: Avoiding include() with...
PHP's include() turns a path traversal bug into remote code execution. See how CVE-2015-2213 and CVE-2022-1329 happened, and how to prevent it with allowlists.
XXE Prevention in PHP with libxml_disable_entity_loader
libxml_disable_entity_loader() looked like the fix for XXE in PHP, but PHP 8.0 deprecated it. Here's what it did, why it broke, and what to use now.
Secure Random Number Generation in PHP with random_bytes
PHP's mt_rand() has a 32-bit seed space attackers can crack in seconds. Here's why random_bytes() and random_int() replaced it in PHP 7.0, and how weak randomness still causes breaches.
PHP 7.3 to 7.4 Version Vulnerabilities: A Security Changelog
PHP 7.4 vulnerabilities span years of unsupported point releases; here is what changed security-wise across the 7.3 and 7.4 lines and why staying on either branch today is a standing risk.