php-security
Installation
SKILL.md
PHP Security
Core Principle
Never trust user input. Validate everything from $_GET, $_POST, $_COOKIE, $_FILES, $_SERVER, and $_REQUEST. Defense in depth — layer multiple protections.
SQL Injection Prevention
Use prepared statements with bound parameters for all queries. Never interpolate user input into SQL strings.
| Rule | Detail |
|---|---|
| Prepared statements only | WHERE, VALUES, SET — parameterize all data values |
| Table/column names | Validate against whitelist, never user input directly |
| Least-privilege DB accounts | Don't use root; separate read/write accounts |
| Use PDO with exceptions | $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION) |
| Disable emulated prepares | $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false) |
See resources/validation-patterns.md for prepared statement and dynamic column name code examples.