Hey there,
First of all... any good "hacker" is not going to to just flat out tell you how to hack something. Believe it or not, hackers usually follow a set of rules or "hacker ethics," which strongly discourages this practice.
I can, however, give you some of the best tips for writing secure PHP scripts.
Here are some of the most important:
1) Always turn off error reporting on production (working) sites/scripts. While error reporting is your friend when you're developing, the information it shows can be incredibly useful for a hacker. At the top of each page put:
<?php
ini_set('error_reporting', 0)
?>
2) Never turn on "register_globals()." This function allows variables to be used that you haven't explicitly declared. While it speeds up development time, it's also incredibly dangerous. Most hosting companies will have it off by default, and it's not even be an option in PHP 6, but it's always good to double check by doing:
<?php
ini_set('register_globals', 'Off')
?>
3) NEVER TRUST YOUR USERS. Every single piece of data you allow users to submit/modify on your site poses a huge risk, especially if this data will be stored on a database. Validate and sanitize ALL input with extreme prejudice. The more paranoid you are, the better. Some useful functions are:
<?php
//Perform a "magic quotes" style escaping(\) of (' and ") characters
mysql_real_escape_string($variable)
//Check the variable or string against a regular expression - VERY userful
preg_match("/expression/", $variable)
//Make sure the variable or string is under a certain length
if (strlen($first_name) > 20) {
die("Nobody's first name is that long!");
}
//Strip HTML and PHP tags
strip_tags($variable)
?>
There's a ton more out there to learn, these are just some of the very basics. Here are a few really good links to learn more about writing secure PHP.
http://www.addedbytes.com/php/writing-secure-php/http://us2.php.net/manual/en/security.phphttp://www.ibm.com/developerworks/op...pps/index.html
