Stop Making These PHP REST API Mistakes

10 min readintermediateUpdated 2026-03-01

NexusBro EditorialDeveloper Tooling ResearchUpdated 2026-03-01

Key Takeaways

✓Always use prepared statements — SQL injection remains the top PHP vulnerability
✓Use === instead of == to avoid PHP's counterintuitive type juggling behavior
✓Hash passwords with password_hash(PASSWORD_ARGON2ID), never MD5 or SHA1
✓Keep controllers thin and move business logic into dedicated service classes

Not Using Prepared Statements

Concatenating user input directly into SQL queries is the most dangerous PHP mistake and remains the number one cause of data breaches in PHP applications. String escaping functions like mysqli_real_escape_string are error-prone and insufficient against all attack vectors. The only reliable protection is parameterized queries through PDO or MySQLi prepared statements. Pass user input as bound parameters, never as part of the query string. This applies to every database query that includes any external data — not just obvious cases like login forms, but also search queries, filtering parameters, and any value that could originate from a user, including cookies and HTTP headers.

php

<?php
// DANGEROUS: SQL injection vulnerability
$sql = "SELECT * FROM users WHERE email = '$email'";
$result = $pdo->query($sql);

// SAFE: Prepared statement with parameter binding
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
$stmt->execute(['email' => $email]);
$result = $stmt->fetch();

Using == Instead of ===

PHP's loose comparison operator == performs type juggling that produces counterintuitive results: 0 == "foo" is true, "" == null is true, and "0" == false is true. These comparisons silently pass when they should fail, creating security vulnerabilities in authentication logic and data validation. Always use strict comparison === which compares both value and type. Enable strict_types to get TypeError exceptions for type mismatches in function calls. If you need type conversion, do it explicitly with casting operators so the intent is clear. Loose comparison is the source of countless subtle bugs in PHP applications and is never worth the convenience.

Ignoring PHP Error Levels

Running PHP with error reporting suppressed or using the @ error suppression operator hides bugs that will eventually cause production incidents. Configure error_reporting to E_ALL during development and in CI. In production, log all errors but do not display them to users — set display_errors to off and log_errors to on. The @ operator should never appear in production code; it hides failures that need attention. Treat notices and warnings as bugs, not annoyances — they indicate real problems like undefined variables, incorrect array access, and deprecated function usage that will become errors in future PHP versions.

Think Your Code Is Clean? Let NexusBro QA It in 20 Seconds.

Paste your code. Click QA. Get an instant expert-level audit with fixes.

QA My Code Free

Not Hashing Passwords Properly

Storing passwords with MD5, SHA1, or even SHA256 is grossly insufficient. These are fast hashing algorithms designed for data integrity, not password storage. Attackers with modern GPUs can try billions of hashes per second. PHP provides password_hash and password_verify specifically for password storage. Use PASSWORD_ARGON2ID (preferred) or PASSWORD_BCRYPT. Never implement your own hashing scheme, add custom salts (password_hash handles salting), or store password hashes in client-accessible locations. Check password_needs_rehash on login to automatically upgrade hashing parameters as recommendations change. This is one area where doing it wrong has severe real-world consequences.

php

<?php
// WRONG: Never use these for passwords
$hash = md5($password);
$hash = sha256($password);
$hash = hash('sha256', $password . $salt);

// CORRECT: Use password_hash
$hash = password_hash($password, PASSWORD_ARGON2ID);

// Verify on login
if (password_verify($inputPassword, $storedHash)) {
    // Check if rehash needed
    if (password_needs_rehash($storedHash, PASSWORD_ARGON2ID)) {
        $newHash = password_hash($inputPassword, PASSWORD_ARGON2ID);
        updateUserHash($userId, $newHash);
    }
}

Fat Controllers, Thin Models

Putting all application logic in controllers creates classes that are hundreds of lines long, impossible to test in isolation, and tightly coupled to the HTTP layer. Business logic in controllers cannot be reused by artisan commands, queue jobs, or API endpoints. The fix is moving business logic into dedicated service classes, using models for data access and relationships, and keeping controllers thin — they should only validate input, call a service, and return a response. This separation makes your code testable, reusable, and maintainable. If a controller method exceeds 20 lines, it probably needs refactoring into a service.

Ignoring Composer Autoloading

Manually requiring files with include or require statements is fragile and error-prone. Composer's PSR-4 autoloading maps namespaces to directories, automatically loading classes when they are first referenced. Configure autoload in composer.json and run composer dump-autoload. Use classmap autoloading for directories that do not follow PSR-4 conventions. In production, run composer dump-autoload --optimize to generate a class map for faster loading. Never use require_once in application code — it adds overhead and indicates a structural problem. Proper autoloading eliminates an entire category of "class not found" errors and makes your codebase self-organizing.

Unlock Unlimited QA Audits for $15.99/mo

Free: 5 audits/day. Pro $15.99/mo: 50/day + 250 pages. Pro Max $99/mo: unlimited audits, 10K pages, API access.

See Plans

Frequently Asked Questions

What is the most dangerous PHP REST API mistake?

SQL injection from concatenating user input into queries. Despite decades of awareness, it remains the most exploited vulnerability in PHP applications. Always use prepared statements with parameter binding. No exceptions, no shortcuts.

How can I catch PHP REST API mistakes before production?

Use a layered defense: strict_types catches type errors, PHPStan catches logic errors through static analysis, PHPUnit catches behavioral bugs through testing, and code review catches design issues. Each layer catches different types of mistakes. CI should run all of these on every pull request.

Are PHP REST API mistakes more common than in other languages?

PHP's permissive defaults (loose comparison, implicit type coercion, suppressed errors) create more opportunities for subtle mistakes. However, modern PHP with strict_types, type declarations, and static analysis is comparable to other languages in safety. The key is opting into strict mode consistently.

How do I fix PHP REST API mistakes in legacy code?

Prioritize security fixes first (SQL injection, XSS, password hashing). Then add strict_types to files you modify. Introduce PHPStan at baseline level and fix new violations. Add tests before refactoring to ensure behavior is preserved. Use rector for automated modernization. Fix incrementally, not all at once.

How do I prevent my team from making PHP REST API mistakes?

Automate detection: CI checks for common vulnerabilities, PHPStan for type errors, and PHP-CS-Fixer for style. Create project templates with secure defaults. Conduct security-focused code reviews. Share this common mistakes guide during onboarding. Make the right way the easy way.

Share this article

X LinkedIn Reddit WhatsApp

Laravel Routing Common Mistakes Php Authentication Common Mistakes Php Pdo Common Mistakes Php Error Handling Common Mistakes

Unlock Unlimited QA Audits for $15.99/mo

Free: 5 audits/day. Pro $15.99/mo: 50/day + 250 pages. Pro Max $99/mo: unlimited audits, 10K pages, API access.

See Plans

Noizz helps you discover and compare the best new products and tools. Try it free →

Is YOUR site's SEO this optimized?

Find out in 60 seconds with a free QA audit.

Free SEO Check

Is your site built to last?

Run a free QA audit and get your Site Health Score in seconds.

Check Your Site Free

No signup required

QA Score Checker·Compare Sites·Industry Benchmarks

Stop Making These PHP REST API Mistakes

10 min readintermediateUpdated 2026-03-01

NexusBro EditorialDeveloper Tooling ResearchUpdated 2026-03-01

Key Takeaways

✓Always use prepared statements — SQL injection remains the top PHP vulnerability
✓Use === instead of == to avoid PHP's counterintuitive type juggling behavior
✓Hash passwords with password_hash(PASSWORD_ARGON2ID), never MD5 or SHA1
✓Keep controllers thin and move business logic into dedicated service classes

Not Using Prepared Statements

php

<?php
// DANGEROUS: SQL injection vulnerability
$sql = "SELECT * FROM users WHERE email = '$email'";
$result = $pdo->query($sql);

// SAFE: Prepared statement with parameter binding
$stmt = $pdo->prepare('SELECT * FROM users WHERE email = :email');
$stmt->execute(['email' => $email]);
$result = $stmt->fetch();

Using == Instead of ===

Ignoring PHP Error Levels

Think Your Code Is Clean? Let NexusBro QA It in 20 Seconds.

Paste your code. Click QA. Get an instant expert-level audit with fixes.

QA My Code Free

Not Hashing Passwords Properly

php

<?php
// WRONG: Never use these for passwords
$hash = md5($password);
$hash = sha256($password);
$hash = hash('sha256', $password . $salt);

// CORRECT: Use password_hash
$hash = password_hash($password, PASSWORD_ARGON2ID);

// Verify on login
if (password_verify($inputPassword, $storedHash)) {
    // Check if rehash needed
    if (password_needs_rehash($storedHash, PASSWORD_ARGON2ID)) {
        $newHash = password_hash($inputPassword, PASSWORD_ARGON2ID);
        updateUserHash($userId, $newHash);
    }
}

Fat Controllers, Thin Models

Ignoring Composer Autoloading

Unlock Unlimited QA Audits for $15.99/mo

Free: 5 audits/day. Pro $15.99/mo: 50/day + 250 pages. Pro Max $99/mo: unlimited audits, 10K pages, API access.

See Plans

Frequently Asked Questions

What is the most dangerous PHP REST API mistake?

How can I catch PHP REST API mistakes before production?

Are PHP REST API mistakes more common than in other languages?

How do I fix PHP REST API mistakes in legacy code?

How do I prevent my team from making PHP REST API mistakes?

Share this article

X LinkedIn Reddit WhatsApp

Laravel Routing Common Mistakes Php Authentication Common Mistakes Php Pdo Common Mistakes Php Error Handling Common Mistakes

Unlock Unlimited QA Audits for $15.99/mo

Free: 5 audits/day. Pro $15.99/mo: 50/day + 250 pages. Pro Max $99/mo: unlimited audits, 10K pages, API access.

See Plans

Noizz helps you discover and compare the best new products and tools. Try it free →

Is YOUR site's SEO this optimized?

Find out in 60 seconds with a free QA audit.

Free SEO Check

Is your site built to last?

Run a free QA audit and get your Site Health Score in seconds.

Check Your Site Free

No signup required

QA Score Checker·Compare Sites·Industry Benchmarks

Key Takeaways

Not Using Prepared Statements

Using == Instead of ===

Ignoring PHP Error Levels

Think Your Code Is Clean? Let NexusBro QA It in 20 Seconds.

Not Hashing Passwords Properly

Fat Controllers, Thin Models

Ignoring Composer Autoloading

Unlock Unlimited QA Audits for $15.99/mo

Frequently Asked Questions

Share this article

Related Articles

Unlock Unlimited QA Audits for $15.99/mo

Is your site built to last?

How does your site compare?

Explore More Topics

The Definitive Guide to Merge Sort

The Complete Guide to Python Variables

The Complete Guide to TypeScript Strict Mode

The Complete Guide to Swift Optionals

The Complete Guide to SELECT Queries

The Definitive Git Basics Guide for Developers

Key Takeaways

Not Using Prepared Statements

Using == Instead of ===

Ignoring PHP Error Levels

Think Your Code Is Clean? Let NexusBro QA It in 20 Seconds.

Not Hashing Passwords Properly

Fat Controllers, Thin Models

Ignoring Composer Autoloading

Unlock Unlimited QA Audits for $15.99/mo

Frequently Asked Questions

Share this article

Related Articles

Unlock Unlimited QA Audits for $15.99/mo

Is your site built to last?

How does your site compare?

Explore More Topics

The Definitive Guide to Merge Sort

The Complete Guide to Python Variables

The Complete Guide to TypeScript Strict Mode

The Complete Guide to Swift Optionals

The Complete Guide to SELECT Queries

The Definitive Git Basics Guide for Developers