Learning PHP Web App Security

I have come across securing/filtering AJAX calls... and I am making AJAX calls in my application - thoughts? http://stackoverflow.com/questions/7953714/php-help-secure-filter-ajax-calls Could I have a seasoned programmers opinion regarding the answer in that article?

In fact I've just read about sanatising which should obviously be my next step. I gather that sanatising is simply the checking of variable values to ensure they are what's expected by using functions such as settype() and isnumeric()? If so, then I haven't sanatised a single database input :L

I've always found ajax calls to be inherently open. Any javascript can be laid bare, regardless of coders' attempts to obfuscate and minify.
IMO, it's just like using a form - you see the destination/action file in the html view and from the form itself, you can see which parameters are passed, so you can usually create post requests quite easily without actually having to create a physical form.
So I don't try to worry too much about the client-side - just ensure that your server-side code is air-tight.

Cheers diafol, I gather thats done by sanatising?

Sanitising, validating data types and checking the session for permissions. Place your include files above the docroot too. You can also prevent direct access to files with htaccess. E.g. if a file is to be included in another but shouldn't be accessed directly via the browser.

Also have a blank index.html file in your directories to help prevent directory listing. May be overkill.

I have a series of index files in directories that contain a header redirection to the site index :P

And as for session permissions..?

It is all well and good to concentrate on "coding" type security preventions, but, what are you doing in terms of server-side? I.e. "Hackers" or people who want to generally cause a havoc to your website might not generally go down the route of XSS or trying to find vunerabilities inside your code.

What if, for example they managed to get onto your server? Since, all your files, and mysql databases are stored on your server - They don't even need to look for vunerabilities within your code.

What if, they managed to DDoS/DoS your site? Corrupt your database files etc.. I wouldn't just look at coding techniques in terms of security - Make sure your server is 100% secure.

:)

This topic has been already marked as solved but I would like to add useful information that deserves to be added, and this is OWASP top 10 list of vulnerabilities of web apps and guides on how to minimize them. It might be a slightly more complex reading but it is worth it if you do a serious web development.

Marking as solved was a miss click, sorry! As for server security that's not my concern. I would like to ask anyone to attempt a DDoS, they'll fail miserably - I've got a dedi in the London Docklands Datacentre as I've worked there before and I'm close friends with most of the team :) I'm in the rack right next to Her Majesties Revenue and Customs! haha As the topic is titled, my focus is application security, but thanks for the suggestion.

Broj1 - great post, quite an interesting list :)

Yep, OWASP - essential reading.