How to write a query for PHP and MySQL?

Wonder if there are anyone with experience to write/deal with specification/SOW for web projects (Php, MySQL, and MongoDB) when it comes to security but also benchmarking / performance and scale?

• We are in the process of invest and building a new platform for our "City Destinations" venture which is hybrid of news/magazine and social network with added services like places/business guide, real estate and much more. It will be both web and mobile, user generated content, there will be a “virtual currency” or “site dollars” that user can do micro transaction with on the site. We feel very comfortable with design, modules and functions and feel we have a pretty strong technical knowledge within the team. But our worry is when working with specification / SOW for this project that be developed by freelancers that we point/push hard on demands to secure the site from both password problems, system architecture but more in detail points / hint how to deal with different kind of challenges that is common in PHP, MySQL, MongoDB, WordPress .. and so on.   So I wonder if anyone here on http://Quora.com who have suggestions and experience to share how to solve or more correct to raise the bar to avoid future problem. Thinking if there are methodology to deal with things like below (Just list some of those who bubble up in my head). Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF)SQL InjectionShell Injection Remote code execution XMLRPC for PHP vulnerabilities Format String Vulnerabilities System architecture and configuration https://www.owasp.org/index.php/Top_10_2013-Top_10

• Answer:

  In the realm of PHP vulnerabilities I'd say you should definitely invest some time/research in PHpass to protect your user passwords, I'm assuming that if there are going to be micro-transactions and things of that sort, every user will have the option to create an account through registration. I am not very experienced in the realm of security, however I have been doing research and every developer who has worked with PHpass has good things to say only, its the sort of thing that is used in things like Wordpress. That is not to say that PHpass will make your site 100% secure, I don't think that is possible, but it will definitely do a better job than other hashing methods. I suppose the next best thing would be to devise a hashing method of your own. I'm not sure whether that is a possibility. ______ PHpass would take a password from a form and then hash it, you would insert this hash into a table in your Server (Mysql for example) and then call it from a login authentication form where PHpass will read the stored hash and validate or invalidate the login. PHpass is created by OpenWall, here is a resource on managing user passwords. http://www.openwall.com/articles/PHP-Users-Passwords Phpass has been integrated into many well-known CMS’s such as WordPress, Vanilla, phpBB, and Drupal. I am not entirely sure I am helping you with this info, I wish you luck on your project! Hopefully this info is useful!