After seeing this awesome guide on Stack and needing a practical \[code\]PHP/MySQL\[/code\] security checklist in-house, I have decided to pay homage to the original guide.What I need is a practical security checklist for \[code\]PHP\[/code\] and \[code\]MySQL\[/code\]. The contents here can function as the checklist, while the answers should function as the guides.By practical I mean that each answer should avoid superfluous security theoretics and focus on real results. Most of us don't need to know about \[code\]RFC3174\[/code\] when you're suggesting to secure passwords using a \[code\]SHA-1\[/code\] hash. We just want to make passwords secure.I will go through the entries from time to time and tidy them up so they have a consistent look and feel and it's easy to scan the list. Feel free to follow a simple "header - brief explanation - list of instructions - gotchas and extra info" template. I'll also link to the entries from the bullet list below so it's easy to find them later.Procedural note: PLEASE pick one and only one of the below topics and answer it clearly and concisely. Don't try to jam a bunch of information into one answer. Don't just link to other resources - cut and paste with attribution if copyright allows, otherwise learn it and explain it in your own words (that is, don't make people leave this page to learn a task). Please comment on, or edit, an already existing answer unless your explanation is very different and you think the community is better served with a different explanation.PHPValidate user input
Guard your file system
Guard your sessions
Guard against XSS vulnerabilities
Guard against invalid \[code\]POST\[/code\]s
Guard against CRSF
Stop using \[code\]$_REQUEST\[/code\]
Stop using \[code\]register_globals\[/code\]
MySQLAvoid SQL injectionUse \[code\]mysql_real_escape_string\[/code\] to protect against \[code\]SQL\[/code\] injection
Keep in mind that the above list is only a starter, and that many of the above topics will likely become sub-headers and are too broad to write on. Try to distill something smaller like "Stop using \[code\]register_globals\[/code\]" rather than, say, trying to write an answer on XSS as a whole. Over time I hope everyone can add many more things.
Guard your file system
Guard your sessions
Guard against XSS vulnerabilities
Guard against invalid \[code\]POST\[/code\]s
Guard against CRSF
Stop using \[code\]$_REQUEST\[/code\]
Stop using \[code\]register_globals\[/code\]
MySQLAvoid SQL injectionUse \[code\]mysql_real_escape_string\[/code\] to protect against \[code\]SQL\[/code\] injection
Keep in mind that the above list is only a starter, and that many of the above topics will likely become sub-headers and are too broad to write on. Try to distill something smaller like "Stop using \[code\]register_globals\[/code\]" rather than, say, trying to write an answer on XSS as a whole. Over time I hope everyone can add many more things.