Track
PHP
Review strict types, request validation, output escaping, PDO queries, passwords, sessions, configuration, and template boundaries.
- 01
Strict types and return types
Make PHP function contracts explicit with strict scalar types and return types so reviewers can catch coercion bugs at boundaries.
typesstrict-typescontracts - 02
Input validation and filtering
Validate request input at the boundary before it reaches query, domain, or template code.
inputvalidationrequest - 03
Output escaping for XSS
Escape untrusted values when rendering HTML so user content cannot become markup or script.
xssescapingtemplates - 04
PDO prepared statements
Use prepared statements with bound values instead of interpolating request data into SQL strings.
pdosqlprepared-statements - 05
Password hashing and verification
Store password hashes with PHP password APIs and verify them without inventing custom hashing rules.
passwordssecurityhashing - 06
Session handling and cookies
Configure session cookies deliberately and regenerate session IDs when authentication state changes.
sessionscookiesauth - 07
Error handling and exceptions
Handle exceptions at a clear boundary, log useful context, and return safe responses to users.
errorsexceptionslogging - 08
Autoloading and namespaces
Use namespaces and autoloaded classes so file structure, ownership, and dependencies are explicit.
autoloadingnamespacesstructure - 09
Configuration and secrets
Load configuration from the environment and fail clearly when required secrets are missing.
configurationsecretsenvironment - 10
Separating logic from templates
Keep request handling and data access outside templates so rendering code stays small and easy to review.
templatesseparationmvc