PHP From ZeroModern PHP course

security

OWASP Top 10 Orientation For PHP Applications

The OWASP Top 10 is an orientation tool for common web application risks. It is not a complete checklist, but it helps teams recognise recurring classes of weakness during implementation and review.

What Matters

  • Access-control failures include missing ownership checks and admin-only actions exposed to ordinary users.
  • Cryptographic failures include weak password storage, leaked secrets, and unsafe transport.
  • Injection includes SQL, shell, template, and other interpreter boundaries.
  • Security misconfiguration includes debug output, permissive storage, unsafe headers, and default credentials.
  • Vulnerable dependencies and poor logging are operational security risks as well as coding risks.

Practical Example

PHP example
<?php

declare(strict_types=1);

function owaspReviewPrompt(string $feature): array
{
    return [
        'feature' => $feature,
        'questions' => [
            'Is access checked server-side?',
            'Can untrusted data reach an interpreter?',
            'Could secrets or personal data leak?',
            'Are failures logged safely?',
        ],
    ];
}

print_r(owaspReviewPrompt('invoice download'));

// Prints:
// [feature] => invoice download

In Application Work

Use OWASP categories to broaden a review after checking the feature-specific controls. The categories prompt questions; they do not replace understanding the application.

Turn Categories Into Feature Questions

Review a real feature, not a list in isolation. For an invoice download route, ask:

Access control: can one customer request another customer's invoice ID?
Injection: can request data influence SQL, paths, or response headers?
Cryptography: is the request protected by HTTPS?
Misconfiguration: can an error expose storage paths or stack traces?
Logging: will denied downloads be visible without logging secrets?
Dependencies: which PDF or storage libraries process the file?

The same categories produce different questions for a login endpoint, webhook receiver, upload form, or admin report.

OWASP Is A Starting Point

The Top 10 summarises common risk classes. It does not replace a threat model, framework guidance, dependency updates, tests, or incident response.

Use it during planning and review to catch blind spots. Then trace data and permissions through the actual application flow.

What To Check

Before moving on, make sure you can:

  • use OWASP categories as review prompts;
  • recognise access control, injection, configuration, and dependency risks;
  • connect broad categories to concrete PHP boundaries;
  • avoid treating the list as a complete security guarantee;
  • turn broad categories into questions about one real feature.

Practice

Practice: Create A Feature Review Prompt

Build a review helper for a document-download feature.

Requirements

  • Include access control, input, output, secrets, logging, and dependency questions.
  • Keep questions tied to a concrete feature.
  • Show the resulting review areas.
Show solution

The output is a review prompt, not an automated proof of security.

PHP example
<?php

declare(strict_types=1);

function reviewAreas(string $feature): array
{
    return [
        'feature' => $feature,
        'areas' => [
            'authorise record ownership',
            'validate document ID',
            'avoid public storage URLs for private files',
            'log denied access without exposing secrets',
            'keep storage SDK dependencies current',
        ],
    ];
}

foreach (reviewAreas('document download')['areas'] as $area) {
    echo '- ' . $area . PHP_EOL;
}

// Prints:
// - authorise record ownership
// - validate document ID
// - avoid public storage URLs for private files
// - log denied access without exposing secrets
// - keep storage SDK dependencies current

A real review follows each question into the route, service, storage adapter, and deployment configuration.