Keamanan PHP tegese pertahanan marang vulnerabilitas web sing umum (OWASP Top 10) ing saben lapisan — penanganan input, akses database, output, autentikasi, lan konfigurasi. Amarga PHP ngisi akeh banget web, praktik-praktik iki kritis.
->( . []);
= ->();
->([[]]);
// ❌ echoing raw user input → XSS (injected scripts run in the browser)
echo $_GET['name'];
// ✅ escape output for HTML context
echo htmlspecialchars($_GET['name'], ENT_QUOTES, 'UTF-8');
Escape data sing dikontrol pengguna ing output (htmlspecialchars) supaya HTML/JS sing disuntik ora bisa dieksekusi. (Template engine kayata Twig/Blade auto-escape.)
// ✅ use password_hash (bcrypt/argon2) — never plaintext, never MD5/SHA
$hash = password_hash($password, PASSWORD_DEFAULT);
// verify:
if (password_verify($input, $hash)) { /* correct password */ }
Built-in PHP password_hash/password_verify nggunakake algoritma sing kuat, salted, lan lambat — cara sing bener kanggo nyimpen password.
// generate a token, store in the session, include in forms, verify on submit
$_SESSION['csrf'] = bin2hex(random_bytes(32));
// verify on POST: hash_equals($_SESSION['csrf'], $_POST['csrf'])
$email = filter_var($_POST['email'], FILTER_VALIDATE_EMAIL); // validate
$id = (int) $_GET['id']; // cast/whitelist
// never trust $_GET/$_POST/$_COOKIE — validate everything
✓ display_errors=Off in production (don't leak stack traces/internals to users — log instead)
✓ Keep secrets in env vars / config outside the web root, NOT in code/git
✓ Use HTTPS; set secure/httponly/samesite cookie flags
✓ Keep PHP and dependencies UPDATED (composer audit for vulnerable packages)
✓ Validate file uploads (type, size); store outside the web root
✓ Use a maintained framework (Laravel/Symfony) — they handle many protections by default
Keamanan kritis kanggo aplikasi PHP, lan ngerti praktik-praktik iki penting — amarga PHP ngisi porsi gedhe web, aplikasi PHP menjadi target serangan terus-terusan, lan kegagalan keamanan bisa bencana (pelanggaran data, kompromi akun, penghapusan konten).
PHP ngatasi vulnerabilitas web sing paling umum lan mbahayakan, nanging ora kaya framework-framework liyane, akeh banget tergantung saka developer sing ngikut praktik bener.
Kang ora bisa diganggu gugat: prepared statements cegah SQL injection (salah siji serangan paling umum lan ngrusak), output escaping (htmlspecialchars) cegah XSS, password_hash/password_verify pastikan penyimpanan password aman (ora pernah plaintext/hash lemah), CSRF tokens proteksi request sing ngubah state, lan validasi input ketat (ora pernah percaya $_GET/$_POST/$_COOKIE) minangka fondasi.
Sama pentinge konfigurasi aman: mateni tampilan error ing production (error bocor informasi sensitif marang penyerang), nyimpan rahasia adoh saka kode, nggunakake HTTPS lan cookie flags aman, validasi upload, lan ngupdate PHP lan dependensi (amarga paket sing rawan minangka vektor serangan utama).
Ngerti pendekatan berlapis, defense-in-depth iki — lan yen siji lapisan sing ketinggalan (injection, rahasia bocor, output ora diuscape, dependensi ora dipetik) bisa kompromi kabeh sistem — penting, pengetahuan taruhan tinggi kanggo saben developer PHP.
Lanché framework modern (Laravel, Symfony) nyediakake akeh proteksi kanthi default, ngerti ancaman lan praktik sing dasar minangka tanggung jawab penting kanggo mbangun aplikasi aman, nggawe topik iki kritis, relevan terus-terusan kanggo PHP production.