Greetings, fellow web developers! As we wield our PHP superpowers to create amazing web applications, we must remember the mighty responsibility of keeping them secure. While we all know about the basic security tricks like input validation and escaping, I’m here to share some rare gems of wisdom that will make your PHP applications almost as impenetrable as a fortress (with a touch of humor, of course!).

1. Embrace the Content Security Policy (CSP) Shield

You know those pesky cross-site scripting (XSS) attacks? Fear not! By activating the Content Security Policy (CSP) shield, you’ll stop those bad scripts right in their tracks. It’s like putting up a “No Entry for Malicious Scripts” sign. The CSP header lets you decide which content sources are safe to load, leaving the hackers scratching their heads in confusion.

2. Say “HSTS Activate!” for HTTPS Awesomeness

Picture this: you say “HSTS Activate!” (not really, but you get the idea) and your website becomes an impenetrable fortress against man-in-the-middle attacks. Enabling HTTP Strict Transport Security (HSTS) ensures that your visitors only communicate with your site over a secure HTTPS connection. No sneaky downgrades to unencrypted territory allowed!

3. Rotate Your Session IDs – The Security Spin Dance

Remember those precious sessions you cherish? Well, it’s time for a spin dance! Regularly monitor and rotate session IDs to fend off session fixation attacks. It’s like changing the lock on your front door to keep out unwanted intruders. Plus, adding a timeout mechanism ensures idle sessions get kicked out after a well-deserved break.

4. Show Some Love to Prepared Statements

Oh, SQL injection attacks, you thought you could get away with it? Not on our watch! We’ve got prepared statements and parameterized queries, the dynamic duo that shields our databases from sneaky hackers. These dynamic defenders ensure that malicious code can’t worm its way into our precious data.

5. Data Whitelisting – The Guest List for Your App

If your app were throwing a party, data whitelisting would be the VIP guest list. Only invited, expected data gets through the door, keeping out unwanted party crashers. This extra layer of security means only the right data gets to dance on your application’s stage.

6. Quiet on Set – Disable PHP Error Reporting

During the development stage, we love PHP error reporting; it’s like having a helpful assistant pointing out every little mistake. But when it comes to the big show, aka the production server, we need to keep things hush-hush. Let’s log those errors instead of spilling our secrets to potential troublemakers.

7. Call in Reinforcements: Security Libraries and Frameworks

Why do all the security work yourself when you can call in the big guns? Security libraries and frameworks are like the Avengers of web development. With PHP Security Advisories Database (PHP-SAD) and the PHP Security Project on your side, you’ll always know when there’s a new threat lurking around.

As we wrap up our journey into the realm of uncommon security tips for PHP developers, remember to laugh along the way. Security doesn’t have to be all serious and stern. By adopting these rare security gems, you’ll fortify your PHP superpowers, creating safer and more reliable applications for your users. So go forth and kick some ass!

Okay, fair enough, I too am in this game. I have a ton to learn even after decades in the industry and from my exposure I can safely say that I have seen over 80% of startups fail within their first 5 years. I have also seen a lot of “pop up” covid19 fueled startups fail – infact most of them have come and gone.

Here’s the trick about Software development and sales. Do it better, do it cheaper, do it with less hassle, and provide excellent and sustainable support.  Superior support will always trump whatever you’re selling.

So here’s a brief roundup of pointers for getting your product out of the bright and shiny virtual box and into your consumers hands.

1. Conduct thorough testing: Testing is a crucial part of the software development process, and it is essential to ensure that your software works as intended. Testing should be conducted at every stage of the development process, including unit testing, integration testing, and system testing. This will help to identify and fix any issues before your software is released to the public.
2. Use Agile methodologies: Agile methodologies, such as Scrum or Kanban, can help to ensure that your software development process is efficient and effective. These methodologies involve regular feedback and communication, which helps to ensure that your software meets the requirements of stakeholders.
3. Involve stakeholders early: It is important to involve stakeholders early in the software development process. This can help to ensure that your software meets their needs and expectations. Stakeholders can provide feedback on the software design and functionality, which can help to ensure that the software is launched successfully.
4. Plan for scalability: It is important to plan for scalability when developing software. This means designing the software in such a way that it can handle increased usage as the user base grows. This can involve designing your software to be modular and scalable, using cloud computing or other scalable infrastructure, and ensuring that the software is optimized for performance.
5. Monitor performance: Once the software is launched, it is important to monitor its performance to ensure that it is working as intended. This can involve monitoring user feedback, monitoring system performance, and analyzing usage data. This can help to identify any issues or areas for improvement, which can be addressed in future updates or releases.
6. Networking is important, establish or join a community of devs that care about industry advancement, be open to scrutiny.
7. Work on marketing your software as part of your daily routine.

We all want or have that friend that will tell us when we have spinach in our teeth. You know, the type that pulls us to the side and says it… this isn’t to be confused for the type that says it at the least opportune time in front of your bosses’ boss but that story is for another time. We all have nightmares okay?

Back to the topic of this blog though… I have a friend who has my back in a way like no other – it tells me that some filthy entity has tampered with my beautiful code and saves my butt quite often.

Okay, backstory time:

Clients sometimes like to engage in what I like to call the event horizon guarantee.

That means, I ensure that everything is rotating around the black hole in a steady balance for x amount of time. If any variable in their environment changes, my guarantee either needs to account for this or will be void (should a third party /developer tamper with the code and ‘break’ the system). This of course, does not include security issues that result from a bug that I should have addressed.

It’s important to safeguard ourselves and clients by providing comprehensive agreements prior to project commencement so the stakes are clear.

This is where generating a checksum for your code comes in. I use this method in every project and you should too!(infact it should be one of multiple ways you check your code’s integrity).

$mychecksum = md5_file($codefilepath);

And that’s it, save this, automate your processes, and boom! one more way to be more secure.

Ok, I’ve been more concerned than usual recently. The era of technological advancements at breakneck speeds is upon us and with that comes a plethora of security holes and probably exploitation.

The growing need for advancement in our response and regular ‘housekeeping’ on our digital platforms (and even with digital assets) is abundantly clear.

Over the course of the next few weeks, I will post about general do’s and don’ts and how to safeguard against what’s to come.

Gear up- it’s going to be an awesome, bumpy ride.

In the interim, here are my top 10 security tips for site owners:

1. Keep software and web applications up-to-date: Ensure that all software, including content management systems (CMS) and plugins, are updated regularly to avoid vulnerabilities.
2. Implement strong passwords: Use strong passwords and encourage users to do the same. Passwords should be complex, unique, and changed regularly.
3. Enable two-factor authentication: Two-factor authentication adds an additional layer of security and requires users to provide a second factor of authentication in addition to a password.
4. Secure data transmissions: Use secure protocols (e.g. HTTPS) to encrypt data transmissions to and from the website, especially for sensitive information such as login credentials and payment details.
5. Regularly backup website data: Back up your website regularly and keep the backup in a secure location to avoid data loss in case of a security breach or website outage.
6. Protect against malware: Install antivirus software and firewalls to protect against malware and other malicious attacks. Regularly scan the website for malware and vulnerabilities.
7. Control access: Limit access to sensitive areas of the website, such as the admin panel, to authorized personnel only.
8. Monitor website activity: Regularly monitor website activity for signs of suspicious behavior, such as unusual login attempts or file modifications.
9. Implement website security policies: Establish clear website security policies and procedures for users, such as password policies, email security, and file upload guidelines.
10. Educate users: Educate users on website security best practices, such as avoiding phishing scams, securing their devices, and reporting suspicious activity.

If you need pointers, you know where to reach me, comment below or @ me on Twitter

Morning

PHP stretches and yawns, ready for a new day of coding. But something feels different today. It’s as if…yes, PHP realizes with a start that it’s now TypeScript.

PHP scratches its metaphorical head, wondering what’s going on. But there’s no time to dwell on it – there’s code to write!

Midday

PHP gets to work, but finds itself struggling with the new syntax. It’s used to the loosey-goosey way of typing, but TypeScript demands precision.

PHP misses the old days when it could pass anything into a function and hope for the best. Now, it has to declare the types of everything.

Afternoon

PHP takes a break to commiserate with its fellow programming languages. “Hey, Java,” it says, “you think you’re so cool with your strict typing and your curly braces. But at least you don’t have to deal with this.”

Java just laughs and shakes its head. “You think you have it bad? Try dealing with null pointers all day.”

PHP shudders at the thought and returns to its TypeScript code. It’s not going to let a little thing like static typing get in the way of its coding dreams.

Evening

As the day winds down, PHP reflects on what it’s learned. TypeScript may be more rigid, but it’s also more predictable. And sometimes, predictability is a good thing.

Tomorrow, PHP will go back to being PHP. But it’ll always remember the day it spent as TypeScript – and maybe even appreciate static typing a little more.

Howdy, so much for my daily blog huh? Well, I can make an excuse that life has been a pain in the console but I think that pass the buck is a stupid game.

I have been inconsistent this year. I spent a lot of time finding the courage to get back on track and less time actually staying on track.

The realities of my industry and how developers are perceived hit me in my covid19-infected lungs and as I gasped for air I realized that unless I spat out a perfectly zipped, neatly organized, nicely coded application for $0.59 simultaneously that clients are mostly cut from the same tree these days.  There are a few exceptions and those are worth clinging onto for dear life.

Most ‘cereal’ entrepreneurs these days feel as if developers are incapable of their level of ‘genius’ ideas and slap NDA’s on devs like they’re protecting the crabby patty secret formula. I wonder how many people stop to think that developers mostly develop for other people when they get caught up in the rat race of providing and needing supplies – like food. A few find employers that they’ll fall on the sword for but it’s so rare that I almost sneezed and forgot that thought.

Depression is something that’s hard to shake when you’re torn between your passion and the way your passion now makes you feel. I have news for you, our passion is only == depression when the client variable sucks. So how do we fix this when we need the fuel to live so we can code another day?

Follow me…

I enjoy waking up before everyone else does, even though it’s hard to get out of a cozy af bed.

Chances are that my day would flow better if I get an early start to it but being a dev often means late nights. Sometimes that brick wall leads to all nighters with great code, good enough code, and meh code. How do we strike a balance here?

I’m sure by now most of my readers are familiar with the constant nag of ‘Get more sleep’, how exactly? We can’t really quit our jobs, make a lifelong vow to the lords of the couch to be one with a potato, and let our beneficiaries starve? (cough, I mean family – reallllly)

The problem I have with this sincere request is that it’s unrealistic in IT and in particular development. The odds are stacked against us if we work from home. We don’t get to switch off or turn our backs on the possible conundrum of a shitstorm that often looms it’s disgusting head during long work hours and stringent deadlines. I often found a consensus that deadlines become more and more stringent because of the need for a break from the chaos which ultimately leads to putting it off to the last moment.

There is an erroneous belief that a love and passion for coding == a love and passion for client work. And while you can be passionate about something, in general, it shouldn’t render you a fatigued, stressed-out, depressed, high strung, and disrespected being.

I am harping on and on about the problem.. please hang in there… *hangs a coffee IV* … there you go buddy…

The unspoken (or not nearly  spoken about enough) view is that if we say we’re human it comes with a monetary / career loss. If we admit to needing a break, we are liabilities.

Here’s what I do and endeavor to do cause science knows I fall off the damn ‘I manage my schedule like a boss’ wagon a shit-ton of times.

Make a list of what you need every month to be all zen and stuff

Rent, food, utilities, pizza (look it deserves it’s own damn category), a small stipend for broken crap that always chooses to break in the middle of coding etc.

Stick to this budget.

Make sure that each project leads to savings or contributes towards your savings goals.

Be comprehensive, you don’t want to be caught off-guard with the added financial stress.

Ensure that you’re not overbooking and give yourself a 20-30% time leeway on EVERY project before you send a quote.

Note that I said time and not rate, but you should be priced to be comfortable.

Price yourself correctly and add terms and conditions that make sense for you

Make sure you protect your time so that if things go south, your agreements should be iron clad. Try to be transparent, be open to offering unfinished work in exchange for monetary returns or more leeway to see things through.

Focus on preparing for your project.

Do your initial research, map things out, start a project board, write a technical spec document if one hasn’t been handled already. Plan for hurdles, if any.

Communicate

I know it may suck to communicate to someone who doesn’t understand the difference between a server and a toothpick but work on this skill daily.. the return is huge and you may actually find that people are more likely to give you the space to let your code shine if they think you gave a shit about other humans. In an ideal world we would adore every project and have great relationships with clients but it’s not an ideal world. . you’re bound to have some douchebags in the mix so mastering the art of communication is the key to not losing your sanity and ultimately avoiding the whole ‘I’ve become a vegan, hippie, who gains sustenance from the sun, the earth is flat, and someone fried my brain’ thing.

Have a side piece

You read right, have a passion project on the side. Don’t burn out, re-ignite your love for development by working on a sensual, steamy line of code when you start banging your head against a wall on your client’s work. Remove yourself from the stress and place yourself at the helm of the – fine I’ll stop. You get it – work on something you love to get through the hump.

If you’re someone who can stand the light of our star – take a breath outside, do something with your hands (like gardening damn it), and create these positive associations in your mind. Chances are, you’ll come up with a ton of code-related ideas too.

Level up by learning something new that keeps you going. Establish a routine that works for you, trust me, you’ll be more productive and happy if you have balance. Automate everything you can. Try Clickup, try Stripe, and find ways to engage that don’t siphon a ton of time.

I hope my ramblings have helped you.

– DecodedNerd