The first step to secure a PHP application is to enable PHP features that track application errors. Application errors often point directly to or provide clues about vulnerabilities.
For example, many of the register global-related uninitialized variable errors can be detected simply by raising the error reporting level within an application.
Here's some code to do just that:

error_reporting(E_ALL);   // in PHP 5.0 E_ALL | E_STRICT
ini_set("display_errors", 0);
ini_set("log_errors", 1);
ini_set("error_log", "/home/user/logs/app_xyz.php.log");

The first two lines of the code enable the tracking of all errors (E_ALL in PHP 4.0 or E_ALL | E_STRICT in PHP 5.0 and above), including warnings, fatal errors, and notices about uninitialized variables. The second line of code disables the display of errors, so that the code can be deployed in a production environment, while lines three and four specify that errors should be logged to a named file - an easy way to monitor error messages in any pager or editor utility, such as less or vim, respectively. To use this snippet, just place it at the top of any application, in a header for example.

I found this helpful while debugging arrays.

error_reporting(E_ALL);
ini_set('display_errors', true);
ini_set('html_errors', false);

// from http://digest.phpit.net/archives/23/html/. They didn't cite a source, so I'm not so sure about this.

Quick Tip: use sizeof() instead of count()

If you’re writing a PHP5 script, use the sizeof() function instead of count(). Although the manual says that sizeof() is a simple alias for count(), sizeof() is actually twice as fast, and can give a slight increase in performance, especially when used a lot.

In one of my scripts I saw performance increase by a whole second by using sizeof() instead of count(). I’m not sure why this is, especially since it’s officially an alias, but that’s just the way it is. Use it to your advantage!

Go to terminal:

sudo apt-get install apache2 mysql-server php5 php5-odbc libapache2-mod-php5 php5-xsl php5-gd php-pear libapache2-mod-auth-mysql php5-mysql libmyodbc

Now hand edit (or create, if it does not exist already) /etc/odbc.ini

Here's an example odbc.ini:

[ODBC Data Sources]
odbcname     = MyODBC 3.51 Driver DSN

[odbcname]
Driver       = /usr/lib/odbc/libmyodbc.so
Description  = MyODBC 3.51 Driver DSN
SERVER       = my.database.server.com
PORT         =
USER         = USER
Password     = XXXXXX
Database     = DBNAME
OPTION       = 3
SOCKET       =

[Default]
Driver       = /usr/local/lib/libmyodbc3.so
Description  = MyODBC 3.51 Driver DSN
SERVER       = localhost
PORT         =
USER         = root
Password     =
Database     = test
OPTION       = 3
SOCKET       =

Remember to start and stop mysql and apache:

sudo /etc/init.d/mysql start
sudo /etc/init.d/apache2 start

sudo /etc/init.d/mysql stop
sudo /etc/init.d/apache2 stop
sudo /etc/init.d/mysql restart
sudo /etc/init.d/apache2 restart

There is currently an issue resulting from the fact that Apache on Mac OS X 10.5 is built as a 64 bit application. On Macs that support 64 bits (all current Mac models), Apache will run in 64 bit mode. This is incompatible with most ODBC drivers, including those currently available from Actual Technologies.
Until we can make 64 bit versions of our drivers available, we recommend a workaround to force Apache to run in 32 bit mode. Using the Terminal prompt, enter the following commands (this is for ppc machines, for intel switch ppc7400 to i386):

sudo mv /usr/sbin/httpd /usr/sbin/httpd.ub

sudo lipo -thin ppc7400 /usr/sbin/httpd.ub -output /usr/sbin/httpd.ppc7400

sudo ln -s /usr/sbin/httpd.ppc7400 /usr/sbin/httpd 

Now restart Web Sharing in the System Preferences, and continue with the instructions for "Invoking ODBC Functions from ODBC" below.
NOTE: if you ever need to restore Apache to 64 bit mode, just enter the following command:

sudo mv /usr/sbin/httpd.ub /usr/sbin/httpd

ETS will parse anything between {} in order to escape the parse use the following.

{# {escaped code} #}

This regular expression matches on a hexadecimal color code (like #ffffff). These are often used in style sheets and HTML code

(regexp can ofcourse be used for other languages as well..)

preg_match('/^([0-9a-f]{1,2}){3}$/i', $color);

function get_remote_file_size($url, $readable = true){
   $parsed = parse_url($url);
   $host = $parsed["host"];
   $fp = @fsockopen($host, 80, $errno, $errstr, 20);
   if(!$fp) return false;
   else {
       @fputs($fp, "HEAD $url HTTP/1.1\r\n");
       @fputs($fp, "HOST: $host\r\n");
       @fputs($fp, "Connection: close\r\n\r\n");
       $headers = "";
       while(!@feof($fp))$headers .= @fgets ($fp, 128);
   }
   @fclose ($fp);
   $return = false;
   $arr_headers = explode("\n", $headers);
   foreach($arr_headers as $header) {
                        // follow redirect
                        $s = 'Location: ';
                        if(substr(strtolower ($header), 0, strlen($s)) == strtolower($s)) {
                                $url = trim(substr($header, strlen($s)));
                                return get_remote_file_size($url, $readable);
                        }
                        
                        // parse for content length
       $s = "Content-Length: ";
       if(substr(strtolower ($header), 0, strlen($s)) == strtolower($s)) {
           $return = trim(substr($header, strlen($s)));
           break;
       }
   }
   if($return && $readable) {
                        $size = round($return / 1024, 2);
                        $sz = "KB"; // Size In KB
                        if ($size > 1024) {
                                $size = round($size / 1024, 2);
                                $sz = "MB"; // Size in MB
                        }
                        $return = "$size $sz";
   }
   return $return;
}

<?PHP
/*******************************
*       Facebook Status Updater
*       Christian Flickinger
*       http://nexdot.net/blog
*    April 20, 2007
*******************************/

$status = 'YOUR_STATUS';
$first_name = 'YOUR_FIRST_NAME';
$login_email = 'YOUR_LOGIN_EMAIL';
$login_pass = 'YOUR_PASSWORD';

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, 'https://login.facebook.com/login.php?m&amp;next=http%3A%2F%2Fm.facebook.com%2Fhome.php');
curl_setopt($ch, CURLOPT_POSTFIELDS,'email='.urlencode($login_email).'&pass='.urlencode($login_pass).'&login=Login');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_COOKIEJAR, "my_cookies.txt");
curl_setopt($ch, CURLOPT_COOKIEFILE, "my_cookies.txt");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3");
curl_exec($ch);

curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_URL, 'http://m.facebook.com/home.php');
$page = curl_exec($ch);

curl_setopt($ch, CURLOPT_POST, 1);
preg_match('/name="post_form_id" value="(.*)" \/>'.ucfirst($first_name).'/', $page, $form_id);
curl_setopt($ch, CURLOPT_POSTFIELDS,'post_form_id='.$form_id[1].'&status='.urlencode($status).'&update=Update');
curl_setopt($ch, CURLOPT_URL, 'http://m.facebook.com/home.php');
curl_exec($ch);
?>

// This outputs PHP variables for debugging. I didn't create it, here is the original source. Thanks to the creator for writing it: kailashbadu at hotmail dot com

// http://us.php.net/get_defined_vars

<?php
  /**
   * @desc   works out the variables in the current scope(from where function was called).
   *         Returns an array with variable name as key and vaiable value as value
   * @param  $varList: variables returned by get_defined_vars() in desired scope.
   *         $excludeList: variables to be excluded from the list.
   * @return array
   */
  function getDefinedVars($varList, $excludeList)
  {
      $temp1 = array_values(array_diff(array_keys($varList), $excludeList));
      $temp2 = array();
      while (list($key, $value) = each($temp1)) {
          global $$value;
          $temp2[$value] = $$value;
      }
      return $temp2;
  }
 
  /**
   * @desc   holds the variable that are to be excluded from the list.
   *         Add or drop new elements as per your preference.
   * @var    array
   */
  $excludeList = array('GLOBALS', '_FILES', '_COOKIE', '_POST', '_GET', 'excludeList');
 
  //some dummy variables; add your own or include a file.
  $firstName = 'kailash';
  $lastName = 'Badu';
  $test = array('Pratistha', 'sanu', 'fuchhi');
 
  //get all variables defined in current scope
  $varList = get_defined_vars();
 
  //Time to call the function
  print "
";
  print_r(getDefinedVars($varList, $excludeList));
  print "";
?>

Word count of current working dir.

        $url = getcwd();
        
        function listDeep($dir) {
                $out = array();
                $dbug = array();
                $ddir = scandir($dir);
                $nosho = array('..', '.', '.DS_Store', '', '.svn');
                foreach($ddir as $file) {
                        if(!in_array($file, $nosho)) {
                                if(@is_dir($dir . '/' .$file)) {
                                        $p = listDeep($dir . '/' . $file);
                                        foreach($p as $f) {
                                                $out[] = str_replace(' ', '\ ', $f);
                                        }
                                } else {
                                        $out[] = str_replace(' ', '\ ', $dir . '/' . $file);
                                }
                        }
                }
                return $out;
        }
        $g = implode(' ', listDeep($url));
        echo '
';
        echo 'Word count for: '. $url . "\n" .'   Lines   Words   Chars'. "\n";
        echo exec('wc '. $g) . '';

Simple array for HTML mockups.

function state_selection() {
        echo '';
                $states = array(
                        'Alabama', 'Alaska', 'Arizona', 'Arkansas', 'California', 'Colorado', 'Connecticut', 'Delaware', 'District of Columbia', 'Florida', 'Georgia', 'Hawaii', 'Idaho', 'Illinois', 'Indiana', 'Iowa', 'Kansas', 'Kentucky', 'Louisiana', 'Maine', 'Maryland', 'Massachusetts', 'Michigan', 'Minnesota', 'Mississippi', 'Missouri', 'Montana', 'Nebraska', 'Nevada', 'New Hampshire', 'New Jersey', 'New Mexico', 'New York', 'North Carolina', 'North Dakota', 'Ohio', 'Oklahoma', 'Oregon', 'Pennsylvania', 'Rhode Island', 'South Carolina', 'South Dakota', 'Tennessee', 'Texas', 'Utah', 'Vermont', 'Virginia', 'Washington', 'West Virginia', 'Wisconsin', 'Wyoming'
                );
                foreach ($states as $state_name) {
                        echo ''.$state_name.'">'.$state_name.'';
                }
        echo '';
}
state_selection();

Easy Template System template code to take an unformatted phone number and make it display as (xxx) xxx-xxxx

{if: {php}strlen({phoneNumber}){/php} >= 10}({php}substr({phoneNumber}, -10, 3){/php}) {/if}{php}substr({phoneNumber}, -7, 3){/php}-{php}substr({phoneNumber}, -4){/php}

// just replace the original one and call each arg as a var from the xml client
// if you dont need desc and parent_id (pid) you also dont need to send the slug
// because its slugged by wp_insert_category anyway... ;)
// it also returns the category id if it already exists without adding a new one

function wp_newCategory($args) {
global $wpdb;
$this->escape($args);

$blog_id = (int) $args[0];
$username = $args[1];
$password = $args[2];
$category_name = $args[3];
$category_slug = $args[4];
$category_pid = $args[5];
$category_desc = $args[6];

if(!$this->login_pass_ok($username, $password)) {
return($this->error);
}

// Set the user context and make sure they are
// allowed to add a category.
set_current_user(0, $username);
if(!current_user_can("manage_categories", $page_id)) {
return(new IXR_Error(401, __("Sorry, you do not have the right to add a category.")));
}

// We need this to make use of the wp_insert_category()
// funciton.
require_once(ABSPATH . "wp-admin/admin-db.php");

$cats = $wpdb->get_results("SELECT cat_ID,cat_name,category_parent FROM $wpdb->categories WHERE cat_name = '".mysql_escape_string( $category_name )."' LIMIT 1", ARRAY_A);
if( count( $cats ) == 1 ) return( $cats[0]['cat_ID'] );

// If no slug was provided make it empty so that
// WordPress will generate one.
if(empty($category_slug)) {
$category_slug = "";
}

// If no parent_id was provided make it empty
// so that it will be a top level page (no parent).
if ( !isset($category_pid) )
$category_pid = "";

// If no description was provided make it empty.
if(empty($category_desc)) {
$category_desc = "";
}

$new_category = array(
"cat_name" => $category_name,
"category_nicename" => $category_slug,
"category_parent" => $category_pid,
"category_description" => $category_desc
);

$cat_id = wp_insert_category($new_category);
if(!$cat_id) {
return(new IXR_Error(500, __("Sorry, the new category failed.")));
}

return($cat_id);
}

function myaddslashes($string ){
if (get_magic_quotes_gpc()){
return ( $string );
} else {
return (addslashes($string));
}

//usage
$mystring=myaddslashes($_POST['mystring']);

In your .htaccess file (maybe only in a specific folder) add this line to parse a .htm as a php file. This works on TxD accounts.

AddType application/x-httpd-php .htm .php

// A method for installing LightTPD, PHP, MySQL on FreeBSD
// All source is stored in /usr/local/src
// Source tarballs are in /usr/local/src/tarballs

// nginx web server install on FreeBSD 6.2
// Links:
// http://wiki.codemongers.com/Nginx
// http://blog.kovyrin.net/category/web-tech/nginx/
// http://blog.kovyrin.net/2006/05/30/nginx-php-fastcgi-howto/
// http://blog.kovyrin.net/files/nginx-conf/php-fcgi.nginx.conf
// http://sysoev.ru/nginx/download.html

su
cd /usr/local/src/tarballs
fetch http://sysoev.ru/nginx/nginx-0.5.20.tar.gz
cd ..
tar zxvf tarballs/nginx-0.5.20.tar.gz
cd tarballs/nginx-0.5.20
less README 
  The English documentation is available at http://nginx.net

# Some configuration options:
PREFIX: Let -prefix= default to /usr/local/nginx
--with-cc-opt="-I /usr/local/include"

# from http://wiki.codemongers.com/NginxInstall:
# --with-cc-opt=OPTIONS - Additional parameters which will be added to the variable CFLAGS.
# With the use of the system library PCRE in FreeBSD, it is necessary to indicate 
# --with-cc-opt="-I /usr/local/include". If we are using select() and it is necessary
# to increase the number of file descriptors, then this also can be assigned here:
# --with-cc-opt="-D FD_SETSIZE=2048".

# Look for configuration options:
./configure --help

# Make directory for log files (my preferences!)
mkdir /var/log/nginx
mkdir /var/log/nginx/drupal
chmod -R 777 /var/log/nginx

mkdir /usr/local/etc/nginx
chown www /usr/local/etc/nginx
chmod 775 /usr/local/etc/nginx

# I tell it where to put the nginx binary. Specifically not in the path. Scripts will start it.
# I like to put conf files in /usr/local/etc/
# I like to put pid files in /var/run
# I have PCRE in /usr/local/include (look for pcre.h)
./configure \
  --sbin-path=/usr/local/nginx/nginx \
  --conf-path=/usr/local/etc/nginx/nginx.conf \
  --pid-path=/var/run/nginx.pid 
  --with-cc-opt="-I /usr/local/include/pcre"

Configuration summary
  + threads are not used
  + using system PCRE library
  + OpenSSL library is not used
  + md5 library is not used
  + sha1 library is not used
  + using system zlib library

  nginx path prefix: "/usr/local/nginx"
  nginx binary file: "/usr/local/nginx/nginx"
  nginx configuration file: "/usr/local/etc/nginx/nginx.conf"
  nginx pid file: "/var/run/nginx.pid"
  nginx error log file: "/usr/local/nginx/logs/error.log"
  nginx http access log file: "/usr/local/nginx/logs/access.log"
  nginx http client request body temporary files: "/usr/local/nginx/client_body_temp"
  nginx http proxy temporary files: "/usr/local/nginx/proxy_temp"
  nginx http fastcgi temporary files: "/usr/local/nginx/fastcgi_temp"

make
make install

cd /usr/local/nginx
total 1492
drwxr-xr-x  2 root  wheel      512 May 16 15:56 html
drwxr-xr-x  2 root  wheel      512 May 16 15:56 logs
-rwxr-xr-x  1 root  wheel  1495320 May 16 15:56 nginx
v4# ls -l /usr/local/etc/nginx
total 28
-rw-r--r--  1 root  wheel  2837 May 16 15:56 koi-utf
-rw-r--r--  1 root  wheel  2223 May 16 15:56 koi-win
-rw-r--r--  1 root  wheel  2944 May 16 15:56 mime.types
-rw-r--r--  1 root  wheel  2944 May 16 15:56 mime.types.default
-rw-r--r--  1 root  wheel  2702 May 16 15:40 nginx.conf
-rw-r--r--  1 root  wheel  2702 May 16 15:56 nginx.conf.default
-rw-r--r--  1 root  wheel  3610 May 16 15:56 win-utf

# Here's my nginx.conf file
# Note that I serve Drupal (drupal.org) with it.
# I use PHP5 and fastcgi (with spawn-fcgi from the lighttpd installation)
##############################################
user  www;
worker_processes  1;

error_log   /var/log/nginx/error.log debug;

pid         /var/log/nginx/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       /usr/local/etc/nginx/mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    keepalive_timeout  65;
    #gzip  on;
    
    server {
        # Test operations on port 81.
        #listen          81;
        # Normal operations on port 80.
        listen               80;
        server_name     domain.com alias1.domain.com alias2.domain.com;
        access_log      /var/log/nginx/drupal/access.log;

        location / {
            index index.php;
            root  /var/www/drupal;
        }

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            include /usr/local/etc/nginx/fastcgi.conf;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
        }
    }

}
##################################################

# Here's my fastcgi.conf file:
##################################################
#fastcgi.conf
fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx;

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_FILENAME    /var/www/drupal$fastcgi_script_name;
fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;
##################################################

# Test nginx configuration
/usr/local/nginx/nginx -t -c /usr/local/etc/nginx/nginx.conf
2007/05/16 16:10:37 [info] 6369#0: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
2007/05/16 16:10:37 [info] 6369#0: the configuration file /usr/local/etc/nginx/nginx.conf was tested successfully

# Run it on port 81. Note that conf file was modified. Change it back for production use.
# First spawn an FCGI process to pass PHP scripts to.
# php was compiled like this:
# ./configure --enable-cgi --enable-fastcgi --enable-force-redirect (plus more flags)
# so PHP resides in /usr/local/bin/
# Note I specified port 9000 in the nginx.conf file. Must match here:
/usr/local/bin/spawn-fcgi -f /usr/local/bin/php -a 127.0.0.1 -p 9000 -u www

// output: spawn-fcgi.c.190: child spawned successfully: PID: 6414

# Then start the nginx.
/usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf

ps ax | grep nginx

// output:
// 6425  ??  Ss     0:00.00 nginx: master process /usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf (nginx)
// 6426  ??  S      0:00.00 nginx: worker process (nginx)

# Now we have to try it on port 80 to see if Drupal works
# Graceful shutdown of server
kill -15 6425

# Edit .conf file, restart:
/usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf

ps ax | grep nginx

// output:
// 6447  ??  Ss     0:00.00 nginx: master process /usr/local/nginx/nginx -c /usr/local/etc/nginx/nginx.conf (nginx)
// 6448  ??  S      0:00.00 nginx: worker process (nginx)

# restart the server gracefully if necessary. Just need pid.
kill -HUP 6447

php_flag display_errors on
php_value error_reporting 7

// This is a single file php mailer that I wrote for someone else. I have removed most of the parts that relate it to the client.

<?php
$valid_ref = "";
$send_name  = "";
$send_email = "";
$subject    = "";

//clean input in case of header injection attempts!
function clean_it($value, $check_all_patterns = true) {
  $patterns[0] = '/content-type:/';
  $patterns[1] = '/to:/';
  $patterns[2] = '/cc:/';
  $patterns[3] = '/bcc:/';
  
  if ($check_all_patterns) {
    $patterns[4] = '/\r/';
    $patterns[5] = '/\n/';
    $patterns[6] = '/%0a/';
    $patterns[7] = '/%0d/';
  }
  return preg_replace($patterns, "", $value);
}

$first_name = clean_it($_POST['first_name']);
$last_name  = clean_it($_POST['last_name']);
$address    = clean_it($_POST['address']);
$city       = clean_it($_POST['city']);
$state      = clean_it($_POST['state']);
$zip        = clean_it($_POST['zip']);
$email      = clean_it($_POST["email"]);
$extra      = clean_it($_POST["extra"]);

$error_msg  = 'Note: Message not sent. Please try again.';

$success_sent_msg = '
 
Your message has been successfully sent. Continue ⇥';

// email variable not set - load $valid_ref page
if (!isset($_POST['email']))
{
 echo "";
 exit;
}

$ref_page=$_SERVER["HTTP_REFERER"];
$valid_referrer=0;
if($ref_page==$valid_ref) $valid_referrer=1;
if(!$valid_referrer)
{
 echo "";
 exit;
}
$themessage = <<<EOT


$extra

Sincerely yours,

$first_name $last_name
$address
$city, $state $zip
$email

EOT;
mail("$send_name <$send_email>",
     "$subject",
     "$themessage",
     "From: $first_name $last_name <$email>\nReply-To: $first_name $last_name <$email>");
echo $success_sent_msg;
?>