Thanks for the answer, it makes very clear. Can I also ask how one learns about the latest best practices? I have come across many of these just by reading websites on the web.
Do most people learn these by reading books, reading about other people's mistakes or security blogs?
Unfortunately there is no single source that has all the best practices right. This is especially true of PHP, where too many tutorials are written for absolute beginners and not enough for advanced users. You just have to read a lot of stuff from many sources and stay tuned to the latest developments. (Avoid any PHP tutorial that is more than 3 years old. PHP development has really picked up in the last few years.)
phpbestpractices.org is definitely above average, but it seems light on security-related stuff. It's also getting a little long in the tooth in some parts. Possible modifications:
- Replace phpass with password_hash(), it has an even simpler interface.
- Don't close the ?> tag if possible. (Follow the PSR-0, PSR-1 and PSR-2 coding standards.)
- Use htmlspecialchars() instead of htmlentities()
- Know when not to use the resource-intensive DateTime class.
- Know that PHP 5.5 introduces a new opcode cache that isn't APC.
- This is down to personal preference, but I think SwiftMailer is more "modern" than PHPMailer and integrates better with third-party mailing APIs.
Do most people learn these by reading books, reading about other people's mistakes or security blogs?
Or just the obvious, https://phpbestpractices.org/?