Defensive Programming in PHP for the Web


PHP (PHP: Hypertext Preprocessor) is a powerful and versatile programming language, frequently used in web applications. Building secure PHP apps requires both the platform configuration and secure coding practices. This course is a hands-on, lab-based course which presents risks and solutions and invites the student to edit some sample code to mitigate example risks. Students learn and practice both platform configuration (e.g., php. ini issues) and code-level techniques to find and fix security vulnerabilities in sample code.

This course covers platform features and specifics that can potentially introduce risks like unsafe PHP configuration, null-byte issues, dangerous APIs, cryptography, and dynamic file inclusion issues. After securing the platform, the course teaches standard PHP defensive programming techniques. Topics include safe file system access, session management, authentication, input validation/output encoding, cross-site request forgery, transport security, and injection attacks. For each of these concepts, the course covers common mistakes, subtle semantics that can surprise the unwary, and correct ways to invoke the right APIs. Students leave with a solid understanding of the fundamentals of building secure PHP applications.

Learning Objectives

After successfully completing this course, the student will be able to:

  • Comprehend the PHP platform
  • Describe the risks affecting PHP applications
  • Write secure web applications using PHP
  • Design and architect secure PHP applications
  • Describe steps to configure PHP applications securely


Delivery Format:  Live traditional or virtual classroom

Class Duration: 8 hours

Intended Audience: Developer


Get more course information