This short guide is applicable if you are:
1.) An online based business and hiring PHP developers to do the development job.
2.) An online entrepreneur hiring developers to create websites using PHP directly from scratch or highly customized templates (not using CMS like Word press for example).
3.) Already has a website and hire developers to further improve the website or add some modules or new features.
Based on experience I had with PHP development, I will illustrate the top 5 serious mistakes commonly made when developing PHP powered websites:
Mistake #1:Not thoroughly checking potential exploits or security related issues in the development stage (when the website is still not launched or uploaded to the production server).
What the developer mostly concern with is that he/she will just do what the website owner expects them to do and forgot the most important aspect which is – security.
So what will happen is that once the website has been launched to the production server (at the website hosting server), it exposes exploits to the entire potential hackers, and then once hacked it will result to a more serious problem now affecting the business.
Solution: Implement some sort of security audits before launching/re-launching the website to the website hosting server. You can implement Google Skip fish for this job: http://code.google.com/p/skipfish/
Mistake #2: Not using or checking the accuracy of relative URLs. As a result when the website is uploaded to the production server, when the relative URL is using wrong path it can result to 404 errors. If these are not checked, much worse it can affect the business seriously because potential customers will see the 404 not found page, instead of presenting the correct URL.
Solution: Before launching the website to the real hosting server, you can crawl the website links using Xenu to see if there are no broken links. You might as well do this also after the website has been uploaded; to make sure that the live website does not encounter any broken link problems.
Mistake #3: Not using SSH as the way to upload/ download files from the hosting server.
Eavesdropping is scary; you will never know that your FTP password and username might be snatched/stolen by unauthorized third parties (hackers for example) along the way to your hosting server, as a result once compromised they can log-in to your hosting server and do nasty things such as defacing your site, stealing information or even deleting your entire website files!
Solution: Make sure you will enable SSH in your hosting server and use that in uploading/downloading files. This will add a strong encryption to the data streams which hackers will not understand.
Mistake #4:Not double checking or updating php.ini contents.
Be careful, php.ini is the PHP configuration file for which you can disable functions not useful to your website. Read security tips pertaining to PHP as to what functions can be disabled to minimize security exploits. Examples of these functions are register globals and fopen.
Solution: Only enable those you will be using as well as disable those functions that might contribute to security exploits.
Mistake #5: Not double checking or sanitizing inputs before doing MySQL queries.
There are lots of problems especially if you hire a new developer to work on a customized website. If the developer is not using validation and special functions to sort out bad inputs, it can result a more serious problem of MySQL injection.
Solution: Always sanitize using special functions in PHP to do this job (example: mysql_real escape string)