Alex Web Develop

Why do some PHP apps get hacked and others don’t?

Protect your apps from web attacks with the right defense techniques.

PHP security

Don’t you get frustrated when someone looks at your PHP code and says: “Hey, this code is vulnerable!”

You put a lot of effort into writing your app,

You spend your time to make it work the way you want,

And then, as if that weren’t enough, you also must think about your app’s security.


So, what do you do?

You try to figure out how to fix your code?

Or you just ignore the problem, hoping that nothing bad will happen?

In any case, you are left with your code vulnerable.

Vulnerable code


It’s an annoying situation.

Especially if you find web security confusing and you don’t know exactly what to do.

I* wish I could tell you that you can just forget about it.

That security is just a “hacker” thing that you can ignore.

But, truth is:

You CAN’T ignore security.


*This is me, Alex.


Web attacks are a real threat.

More than 30,000 websites are hacked every day. (source)

Security is crucial for any PHP application, and you simply cannot leave your code vulnerable.

For PHP developers like us, vulnerable code means bugged code: it must be fixed.

Now, question is:

How do you learn exactly how to write secure PHP code, so you can finally relax and stop worrying about it?

Stop worrying

The feeling when you know that your code is secure.


You could choose the hard way, and try to learn PHP security all by yourself.

But believe me… it’s not easy.

You start searching on Google…

PHP security search

… only to end up more confused than before.

You come across stuff like input validation, SQL injections, XSS

And when you try to put it all together, you are overwhelmed with doubts and questions:

  • Which attacks must you defend against?
  • Which defense techniques do you need to use?
  • How can you be sure to do everything right?


I know, because that’s exactly what happened to me when I was learning about PHP security.

You see, I had no other choice but to learn it the hard way.

I spent months (if not years) studying all the different web attacks, finding out which ones were relevant for PHP development.

And then I studied all the defense techniques, selecting the right ones to use.

Can you afford doing the same? Do you have that much time available?


Don’t worry.

You have a better, SMARTER choice.

You can skip the hard, time-consuming part, and just go straight to the result.

You know, just learn what you need in practice.

I already did the hard work. There is no need for you to waste your time on that.

Now you can just learn the exact, proven steps to write secure PHP code.

And finally stop worrying about it.

PHP Security Mastery
PHP Security Mastery

I created PHP Security Mastery to teach you all and only the important PHP security facts. The ones that you really need to know.

Organized and explained in time-efficient, easy-to-follow lessons.


What will you learn in the course?

This course has three primary goals:


1. Make web security CLEAR and straight.

If you ever wondered what things like “input validation” mean and what exactly you are supposed to do about those, here you will finally get your answers.

You will learn:

  • Exactly when (and why) validation is required.
  • The validation techniques to use (with PHP code examples).
  • When and how to use each technique.

2. Show you exactly what you need to do to protect your code.

There are hundreds of different web attacks.

It’s crucial to know which ones are important for you.

So that you can take care of those and stop worrying.

The course covers all (and only) the attacks that you, as a PHP developer, must care about.


3. Provide you with working, ready-to-use PHP examples for your own projects.

This is not a theory book. It’s a practical course.

The course explains exactly which defense techniques you must use against each attack and provides you with the working PHP implementation.

All you have to do is copy it into your projects.

Here is what students say about the course:

This type of information was very difficult to figure out on my own.

“Prior to enrolling I didn’t know how to secure a site using PHP, and trying to figure out how to do so on my own was a daunting task.

This type of information was very difficult to figure out on my own via research on the web. I’m very happy this course exists, and I wish I found it sooner than I did.

One thing I particularly like about this course is the fact that I’m learning from someone who has done this stuff before. It’s not just theory in a textbook or something I have to piece together on my own.

I’ve always been a proponent of learning from someone who is doing or has done what you want to do, and I feel confident in my PHP security skills now.

Ryan B.

I particularly liked the step by step explanation of the examples.

“I found the course very useful and I learnt a lot. I particularly liked the step by step explanation of the examples.

Thank you for this course, you have helped me a lot. Keep up the good work.”

Andrew Easton

Working, ready-to-use PHP code examples

Each lesson covers the theory (a validation principle, an attack…) and provides the PHP code implementation.

So you can copy&paste it into your own projects right away.

You don’t need to figure out how it works by yourself. It’s all already there.


Explanation of the attack/defense theory:



2. Working PHP code examples:


Unlimited consulting with me (Alex)

When you enroll, you will have direct access to me through the lessons’ comments.

For 6 months after your enrollment, you can leave any number of questions in the comments. I personally answer all questions, no exceptions.

Do you have a doubt? You are not sure about something? Just leave a comment and I’ll personally get back to you.


Just leave a comment and you will get my answer.


What students say about the course:

A clear understanding that saved my time.

“Alex, your course is a diamond of knowledge, the best one I’ve ever seen/read!

I like the full and clear explanation of the topics and the tips/tricks. The course gave me a clear understanding and even a bit of experience, which further saved my time.”

Serhii Franchuk

Easy to follow and well explained.

“I already knew some of the techniques, but I didn’t know exactly how to implement them. The course is easy to follow and well explained.

I would definitely recommend it to other PHP developers.”


What makes PHP Security Mastery different from other courses?

When you enroll in a course, most of the time you get access to the lessons… and that’s it.

But what if you have doubts or questions? What if something is not clear to you?

Even if you can leave comments… good luck getting a decent answer from the teacher (or any answer at all).

Inside PHP Security Mastery, you are guaranteed to get an answer from me.

For 6 months after your enrollment, you can ask an unlimited number of questions, directly through the lessons’ comments.

And you can be sure to have all your doubts cleared out. 


Other courses

Do you have a question? Good luck getting an answer…


PHP Security Mastery

All your questions will be answered.

Course details: what will you get?

The course is divided into 6 chapters (plus 3 bonus chapters in the Pro version):


Chapter 1

  • Input and variable validation explained.
  • How to check the type of variables.
  • How to validate floats and integers.
  • How to check the limits of numbers, strings, and other types.
  • How to validate JSON packets.
  • How to use filters and string functions.
  • How to implement custom validation functions.
  • How to use regular expressions as filters.
  • What are blacklists and whitelists? How and when to use them?
  • What to know about type casting as a validation method.

Chapter 2

  • You will learn about all the Sessions-related attacks.
  • How to protect from basic Fixation attacks.
  • How to protect from two-step Fixation attacks.
  • How to prevent Session Hijacking.
  • How to mitigate the damage from Session Hijacking.
  • How to protect Sessions with one-time tokens.
  • How to implement a Session access timeout.
  • How to implement Virtual Sessions.
  • A recap of the most important Session configuration directives.

Chapter 3

  • How do XSS attacks work?
  • The difference between reflected and stored XSS attacks.
  • How to prevent XSS attacks.
  • The importance of HTML sanitization.
  • How to sanitize URLs.
  • Sanitization in nested contexts.
  • Further steps.

Chapter 4

  • What CSRF is and what you need to know about it.
  • How CSRF attacks work.
  • How to protect your app with anti-CSRF tokens.
  • HTML and Cookie tokens: differences and uses.
  • How to permit Session-based logins with samesite strict enabled.
  • Custom headers tokens.
  • How to implement a token timeout.
  • Login CSRF attacks: what they are and how to prevent them.
  • Refer and Origin headers: can you use them?
  • Stateless double-check tokens.

Chapter 5

  • What you need to know about file uploads and security.
  • How to validate file names.
  • How to validate file extensions.
  • How to avoid file name collisions.
  • How to increase security with forced file names.
  • How to enforce file size limits (and how not to do it).
  • How to validate file contents.
  • What you need to know about upload locations and security.
  • About database storage.

Chapter 6

  • A list of security-related PHP configuration directives and their suggested values.
  • Execution control directives.
  • Information exposure directives.
  • Defense directives.
  • Sessions-related directives.

Exclusive bonus chapters included in the Pro version

The Pro version of the course includes 3 exclusive, high value bonus chapters:


Bonus Chapter 1

  • About SQL Injection attacks.
  • How to connect to your MySQL/MariaDB database.
  • An example of destructive SQL injection attack.
  • An example of data-breach SQL injection attack.
  • Escaping explained.
  • How to use escaping with the MySQLi extension.
  • How to use escaping with the PDO extension.
  • Prepared statements explained.
  • How to use prepared statements with the MySQLi extension.
  • How to use prepared statements with the PDO extension.
  • What are Blind SQL Injections?
  • What are Second Order SQL Injections?
  • About database user permissions.

Bonus Chapter 2

  • How to encrypt and store user passwords.
  • 2-Factor authentication tutorial.
  • How to control login sessions.
  • Password reset tutorial.
  • Limit login attempts with username-based limiting.
  • Limit login attempts with IP-based limiting.
  • User authentication tips.

Bonus Chapter 3

  • PHP exceptions and security.
  • Code injection: what you need to know.
  • Reverse tabnabbing: what is it?
  • GET vs POST: which one is more secure?
  • Type juggling and strict comparison.
  • System commands and security.
  • Email injections.
  • About code scanners.
  • Security principles to know.

What students say about the course…

“I was a bit intimidated by the subject thinking it was too complex.

But the individual lessons are short and easy to digest. The code snippets are concise and comprehensible.

I have learned several tools to use against specific types of attacks, and I have already applied them to one of my applications.”

Dave M.

“I enrolled in the course almost as soon as I found it.
Very clear, specific, and concrete.

I appreciate the clear recommendations on certain points (e.g. setting the cookie samesite option to ‘lax’) as opposed to merely saying what the options but leaving it vague which should be used.”


“I like the simplicity and the practical examples of the course. There are few materials that explain web security in such a simple way.

I have been able to apply the concepts to an existing php application in a short time.

I would definitely recommend it.”

Orkhan Fatullayev

Frequently Asked Questions

For how long will I have access to the course?

You will have lifetime access to all the course lessons and bonus material, including future course updates.

Isn't my framework already securing my code?

Unfortunately, no. This is a common misconception. Frameworks help you organize your code, but making the code secure it’s always up to you.

Where is the course hosted?

The course is hosted on Teachable, one of the world leading online course platforms.

What if the course doesn't work for me?

Don’t worry. You can try the course risk-free.

Your enrollment is protected by Teachable 30-day guarantee.

If the course doesn’t work for you (for any reason), you’ll get all your money back.

I have another question...

I’m here to answer all your questions.

Just send me an email at:

I’ll be happy to help.

30-day, no-questions-asked Teachable Guarantee.

Try the course RISK-FREE.

Your enrollment is protected by Teachable 30-day guarantee.

If for any reason the course doesn’t work for you, you have 30 days to get all your money back. No questions asked.

You don’t even need to contact me. Just click the refund button and you’re done.

How do I enroll?


Choose your plan and click the button to enroll.

You will be redirected to the secure Teachable payment page. Teachable automatically applies VAT if required.

One-time payment for lifetime access.



If you have any questions or concerns about the course, send me an email. I’ll be happy to help.

This website and its content are copyright of Alessandro Castellano. All rights reserved.

Privacy policyCookie policyTerms and Conditions