A presentation with an accompanying example app to help beginners start build basic web applications. The example does not need a web or database server but can be used to display a web page and save data. Basic tenants for for protecting a PHP web application from HTML injection, cross-site scripting, and SQL injection are covered in the slides and the example. The accompanying example application is highly commented to help with understanding why certain actions are taken.

1. Build better code

2. Who Am I?
Adam Englander
adamenglander@yahoo.com
@adam_englander
http://adamknowsstuff.com
https://github.com/derptest
• DirectEdge Brands Director
of Software Development
• Coupla CTO
• Founder/Organizer of Las
Vegas PHP Users Group
• Co-Organizer of Las Vegas
Developers Users Group
• #VegasTech Enthusiast
http://www.slideshare.net/AdamEnglander/basic-web-development-in-php

3. Overview
In this presentation you will learn how to
build a web page that does the following:
 Interacts with the user via HTML forms
 Stores data in a database
 Displays data stored in a database
 Handles errors properly
 Prevents injection attacks
 Runs without installing a web server

4. Interacting with users via forms
 Use the “post” action in your forms
 Post data is accessible via the $_POST
super global variable
 Validate submitted data
 Use htmlentities() when setting form
data to prevent HTML injection and
Cross-site scripting (XSS)

5. Storing Data in a Database
 Use PDO when possible
 Plenty of tutorials and examples
 Allows for prepared statements to prevent
SQL injection
 Saves memory with result cursors
 Allows use of multiple back-ends
 Use prepared statements to prevent
SQL injection attacks
 Use exception error mode for ease of
error handling

6. Displaying Data Stored in a
Database
 Use PDO – see last slide
 Loop with fetch instead of fetch all to
save on memory
 If you are filtering data, use prepared
statements and bind to prevent SQL
injection attacks

7. Handle Errors Properly
 Turn off error display to the user
 Use try/catch exception handling to
reduce complexity
 Show the user a generic error message
that can be tracked back to the error
logs
 Place as much data as possible in the
error logs without risking exposing
secret or private data

8. Prevents Injection Attacks
 Use prepared statements with binding to
prevent SQL injection
 Validate input data to prevent malicious
data being stored or shown to the user
 Use htmlentities() to encode HTML and
prevent HTML injection and cross-site
scripting (XSS)

9. Run a PHP Web App Without
Installing a Separate Web
Server
 As of PHP 5.4, PHP has a built in web
server
 Provides a simple way for building,
testing, and debugging a web
application without installing a bunch of
infrastructure.
 The built in web server SHOULD NOT
be used for a live application

10. Lets See an Example in Action
A sample application that provides a
registration book of sorts is available to
download/checkout on my Github account:
https://github.com/aenglander/starter-app
Download the zip or clone the repository to
see a highly commented example on how
to accomplish the items in these slides.