Make Your PHP Apps Secure From Attacks.

Don’t want to take risks with the security of your code?
Learn how to use the right defense techniques and stop worrying.

PHP Security Mastery

30,000 web apps are hacked every day.
How do you keep your apps secure?

Web attacks


You don’t want your apps to be hacked, right?

Just imagine the consequences. The pain of finding out what has been stolen or deleted, having to inform your client…
Not to mention the impact on your reputation as a developer.

And yet, many developers don’t know how to protect their code. They just “hope” that nothing bad will happen.

Put simply: they just rely on their luck.

But you can’t really feel safe just by relying on your luck, can you?

If you want to feel confident and stop worrying, you can’t just “hope” or “guess”. You must know exactly what to do to protect your code.

How do web apps get hacked?

Hacking a website is like breaking into a building.

Intruders search for vulnerabilities: an open window, a weak lock, a broken fence.
And when a weak point is found, they break in.

It’s the same with web applications.

Attackers study your app, searching for vulnerabilities.
(Yes, even from a remote location and without access to the source code).

When they find one, they use it to break in and hack your app.
The more vulnerabilities your code has, the easier it is for attackers to hack it. 

To prevent such attacks, you must close any open door that attackers can use.

You must make sure that attackers will not find (and use) any vulnerability in your code. Not in the request inputs, not in Sessions, not in your SQL queries.


And this is where many developers fail.

Because attackers know exactly which vulnerabilities to look for.

To stop them, you must know those vulnerabilities too.

And this is where doubts start to kick in:

  • “Did I check all possible vulnerabilities?”
  • “Did I use the right defense techniques?”
  • “Am I sure I didn’t forget anything?”

If you have these doubts, chances are your code is vulnerable.

It’s like leaving the building with the doors unlocked and the windows open.

So, the obvious question is: how do you know exactly what to do, so you can clear all your doubts?


The solution.

How do you learn the exact coding techniques to make your PHP code secure?

You could learn it all by yourself… But be prepared, because it’s a daunting task.
I know that well, because that’s what I did, since there was nobody to teach me.

But if there is someone guiding you, that’s a completely different story.
You can save a lot of time and energy. And in the end, you will be sure to know exactly what you need, and finally stop worrying.


PHP Security Mastery
PHP Security Mastery

PHP Security Mastery is designed to do the following:

The Attacks

The Defense

The Examples


  • Give you the complete list of attacks.

How do you know if your code is protected from every attack? How can you be sure you don’t forget anything?
With the complete and reliable list of possible attacks, you can finally solve these doubts and be sure not to miss anything.

  • Teach you the defense techniques.

The next big question is: how do you stop all the possible attacks?
You must implement the right defense techniques.
In the course, you are going to see which defense techniques work with each attack, and exactly how to implement them.

  • Show you the code examples.

You are a programmer. What you need is real code that you can copy & paste in your own apps.
This is why the course comes with plenty of working code examples.
The examples not only show you exactly how it’s done, but you can also copy and use them right away.

Ryan B.

“Prior to enrolling I didn’t know how to secure a site using PHP, and trying to figure out how to do so on my own was a daunting task.”

“This type of information was very difficult to figure out on my own via research on the web. I’m very happy this course exists, and I wish I found it sooner than I did.

One thing I particularly like about this course is the fact that I’m learning from someone who has done this stuff before. It’s not just theory in a textbook or something I have to piece together on my own.

I’ve always been a proponent of learning from someone who is doing or has done what you want to do, and I feel confident in my PHP security skills now.

Andrew Easton

“I particularly liked the step by step explanation of the examples.”

“I found the course very useful and I learnt a lot. I particularly liked the step by step explanation of the examples.
I will use the information as a reference for future projects.

I recommend this course as I think security is not a priority for a lot of amateurs.

Thank you for this course, you have helped me a lot. Keep up the good work.”

Real PHP code examples.

It’s no use to learn the theory, and then having no idea of how to implement it. Who needs the theory without the practice?

The course includes working PHP examples for every technique. So you can copy & paste the code into your own apps and use it right away.

Code examples

Comments and questions.

In other online courses, you get access to the course content and then you are on your own. But what if you have a doubt or a question?

In PHP Security Mastery, you can leave your questions and comments in every lesson. Me and other students will get back to you with a professional answer.

(Since this course has been published, and hundreds of students have enrolled, I have personally answered every single question.)


All Security In One Place

In this course you will find all security-related topics in one place. No more need to jump from one article or video to the next, always searching for the next topic.

Up To Date

The course material is up to date and fully-compatible with PHP 7 and 8.
I periodically review the lessons to make sure they are always up to date.


Small, Organized Lessons

Learning a complex topic like security can be daunting.
This course is organized in small, segmented pieces of information that you can easily assimilate, in a perfectly logical sequence. So you don’t risk getting overwhelmed.

Simple English

Not a native speaker? No worries!
The English used in the course is as simple as it can be. In fact, it is as simple as the English you are reading right now.

Yassine El ouaamari

I have been coding PHP for years now and at some point “free tutorials” can’t teach me nothing anymore.

But books are too abstract and it’s hard finding someone to teach me or answering my questions on specific topics and/or providing detailed examples.

User authentication and security are the only things that scare me when I want to publish any PHP project.
Because in my home country laws have become more strict lately and you can get in huge troubles when offering web services carelessly.

This course explains those things specifically. There just aren’t a lot of tutorials with this exact topic.
And the price is totally fine (not more or less than a good book).
Money well spent.

I fixed my security concerns when running a website.
This basically closed the biggest gap in my knowledge I had.
In fact, I reached a new level now.

I liked how the course is well structured and has easy to understand examples and I recomment it.
It does what it says. Teaching PHP Security at a very fair price.

I am now confident to run websites and offer user services without fear.
Of Course as a PHP Coder, Sessions, Cookies and Databases aren’t new to me.
But questions I had for a long time and questions I didn’t know I had … have been answered both!

Who is this course for?

This course is for PHP developers who want to write secure web applications.

If you want to feel confident about the security of your code, and if you want to build a solid reputation as a developer, then this course is for you.

This course is NOT for you if:

  • You never programmed in PHP before (you need at least the basics).
  • You just want a “magic tool” that makes your code secure with the click of a mouse. Sorry, such a tool does not exist. Only take this course if you are willing to learn.

What’s Unique About This Course?

You can find many web development courses online.

But this is the only course specifically focused on PHP Security.

In a generic course, your attention is scattered across too many topics. You learn a little bit of everything, without really mastering anything.

To master a complex topic like security, you must focus 100% on that topic.
This way you will reach your goal faster and, more importantly, you will get much better results.


Serhii Franchuk

“A clear understanding that saved my time.”

“I like the full and clear explanation of the topics and the tips/tricks. The course gave me a clear understanding and even a bit of experience, which further saved my time.

Alex, your course is a diamond of knowledge!”


I already knew some of the techniques, but I didn’t know exactly how to implement them. The course is easy to follow and well explained.

I would definitely recommend it to other PHP developers.”

A tiny insight into what you’ll learn:



  • The proper way to check the type of a variable (and why user input is a special case).
  • How to validate numbers, even when used as text strings.
  • Why JSON validation is different from normal input validation, and how attackers can exploit this.
  • How to make your validation stronger by using “limits”.
  • Why you should not use type casting for validation.
  • The secrets of PHP filters.
  • When you should implement your own validation functions.
  • A simple way to use regular expressions for validation.
  • Why blacklists and whitelists are similar… and why they are very different.


  • The 2 most important Sessions-related attacks (and how to prevent them).
  • Why protection against basic Fixation attacks does not work against 2-step Fixation attacks (and what to do instead).
  • How Session Hijacking works, and what to do about it.
  • Why one-time tokens are very effective, but also not always the best choice.
  • The false security of the Session timeout, and what to do to make it really secure.
  • How Virtual Sessions are the most powerful defense weapon you have.


  • How XSS attacks make fun of your HTML page to get access to private data.
  • The two types of XSS attacks, and how to prevent them.
  • Why HTML sanitization is the key to XSS prevention (and the most common mistakes to avoid).


  • How CSRF is the complementary of XSS.
  • How to implement anti-CSRF tokens and instantly make your app much more secure.
  • The difference between cookie, HTML and JavaScript tokens (and when to use which).
  • The simple trick to allow Session-based logins even with samesite strict enabled (and why you want to do that).
  • The little known uses of custom header tokens.
  • How login CSRF attacks can fool you… and how to prevent that.
  • Why Refer and Origin headers seem attractive, but they’re actually useless.


  • Why remote file uploads are a possible attack vector.
  • All you need to know about file name validation.
  • How you can easily avoid name collisions.
  • How to enforce file size limits (and how not to do it).
  • A few tricks to perform content validation: when it works, and when it doesn’t.
  • Where you should keep uploaded files, and when database storage is a viable option.

High value bonus chapters (with the Pro version)



  • Why SQL injections are the most dangerous type of web attacks.
  • Practical examples of destructive and data-breach attacks.
  • How to use escaping and prepared statements to protect your queries (and which one is the best choice).
  • MySQLi and PDO: which one to use?
  • Blind SQL injections: the attack you didn’t expect.
  • How setting the database permissions can dramatically increase your database security (few developers know this).


  • How you should encrypt your passwords (and how not to do it).
  • 2-Factor authentication tutorial.
  • Password reset tutorial.
  • How to get full control over login sessions, and why you want to do that.
  • Two different ways to limit login attempts and stop DOS attacks.


  • How PHP Exceptions can be helpful in making your apps secure.
  • What you need to know about code injection.
  • What’s reverse tabnabbing, and should you worry about it?
  • GET vs POST: which one is more secure?
  • The security principles that you must know.

Reasons Why You Should Not Delay


“I’m busy right now, later may be better…”
Most people think that they are busier than usual and that they will have more time in the future.
But think about it. Do you have more time today than a year or a week ago?
You are not going to have more time in the future. “Now” is the best moment to get things done.


“But I have other priorities….”
If you really had other priorities, then you should not even be here reading these words.
Don’t confuse “priorities” with things that you simply would like to do.
You are here because you know that PHP Security matters to you.


“Maybe the course is too difficult for me…”
Hollywood movies have convinced people that “hacking” and anything related to web security is obscure and incredibly difficult.
But web security is not magic.
There are absolutely no reasons why you shouldn’t be able to learn it.


“Can I find all the information online by myself?”
Let’s be honest: there is literally nothing that you can’t find on Google.
But to find, understand and select all the information from this course, you need months at best (more likely years). And even then, how do you know if you missed something?

Think carefully about how much your time is worth to you.


I was a bit intimidated by the subject thinking it was too complex, or that re-factoring my existing applications to enable security would be too difficult to accomplish without breaking my code .

But the individual lessons are short and easy to digest. The code snippets are concise and comprehensible. Things are spread out nicely which makes it easy to read.

I am self taught, and one of the liabilities of that is not knowing what all you need to teach yourself. This course has identified specific areas of concern that can be addressed and handled, which is easier to handle and work with than the nebulous concept of security.

It covers a number of security concerns and does so in a comprehensible manner with tools that I have already been able to apply to one of my applications.”

Dave M.

“I enrolled in the course almost as soon as I found it.
Very clear, specific, and concrete.

I appreciate the clear recommendations on certain points (e.g. setting the cookie samesite option to ‘lax’) as opposed to merely saying what the options but leaving it vague which should be used.”


I like the simplicity and the practical examples of the course. There are few materials that explain web security in such a simple way.

I have been able to apply the concepts to an existing php application in a short time.

I would definitely recommend it.”

Orkhan Fatullayev

Frequently Asked Questions

For how long will I have access to the course?

You will have lifetime access to all the course lessons and bonus material.

What if the course doesn't work for me?

You can try the course risk-free.
If the course doesn’t work for you (for any reason), just ask for a refund within 30 days and you’ll get all your money back.

Where is the course hosted?

The course is hosted on Teachable, one of the world leading courses platforms.

Do I have to pay a monthly fee?

The price is a one-time payment only (see the price table below).
You only pay once and you have lifetime access to the course.

I have another question...

I’m here to answer all your questions.

Just send me an email at:

I’ll be happy to help.

Alex Friendly 30-days Guarantee.

You can try the course risk-free.

Your enrollment is protected by my Friendly 30-days guarantee.

If for any reason you don’t like the course (and you don’t need to give me any reason at all), just contact me within 30 days and you will get a complete refund.

No questions asked and no catches. And we will still be friends 🙂

How do I Enroll in the Course?

Choose your plan and click “Enroll Now”.
You will be redirected to the secure Teachable payment page (Teachable automatically applies VAT if required).

After the payment process is complete, you will have immediate access to the course.

It’s a one-time payment only for lifetime access.



See you in the course,

If you have any questions just send me an email.