Useful Tips for Creating Secure PHP Applications

PHP is one of the most popular programming language for developing web projects. But like other scripting languages, PHP also has few security holes that can make our application insecure. In this tutorial, we will take a look at useful tips to help you avoid some common PHP security problems.

php security hole

 

Tip 1: Use Proper Error Reporting

During development we often forget to make error reporting on which means weak levels of error reporting in development environments, which is unfortunate, because proper error reporting is not only one of the best debugging tools available to a developer, but also an excellent way to reveal significant security flaws in code before they become a threat in the real world.

There are many ways to enable error reporting. you can enable error reporting from inside the configuration file php.ini or you can set it at run-time.


Enabling Error Reporting
error_reporting(E_ALL);

Disabling Error Reporting
error_reporting(0);

Tip 2: Disable PHP’s weak Features

There are few PHP’s features that’s need to be set OFF. These features are exists in PHP4 applications and are only deprecated in PHP5 applications. But finally removed in the upcoming PHP6.

Register Globals (register_globals)

Actually when register_globals is set to ON. it registers Environment, GET, POST, COOKIE or Server variables as global variables. you don’t need to write $_POST[‘username’] to access the posted ‘username’ variable you can simply use ‘$username’ to access the $_POST[‘username’].


Now you will be thinking that making register_globals on is easy for us why not to use? Yes it is easy for you but it creates many security hole in your application and also creates the conflicts between variables.

Below is the common example you will see in PHP scripts:
if( !empty( $_POST[‘username’] ) && $_POST[‘username’] == ‘test123’ && !empty( $_POST[‘password’] ) && $_POST[‘password’] == “pass123” )
{
$access = true;
}

If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.

Register Globals Disabling with .htaccess
php_flag register_globals 0

Disabling with php.ini
register_globals = Off


Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase
Magic Quotes is a feature meant to save programmers the trouble of using addslashes() and other similar security features in their code. But It is recommended that you disable this
feature and use proper variable validation instead

Disabling with .htaccess
php_flag magic_quotes_gpc 0
php_flag magic_quotes_runtime 0

Disabling with php.ini
magic_quotes_gpc = Off
magic_quotes_runtime = Off
magic_quotes_sybase = Off

Tip 3: Validate User Input

You can also validate user input. you actually already

know what kind of data you are expecting on input. So the simplest way
to protect yourself against attacks is to make sure your users can only
enter the appropriate data.


Tip 4: Avoid Cross Site Scripting Attacks in User Input

In our web application we simply accepts input from users and displays it in some way. During accepting input, allowing HTML can be a dangerous thing, because that allows for JavaScript to be executed in unintended ways. If even one hole is left open, JavasScript can be executed and cookies could be hijacked. This cookie data could then be used to fake a real account and give an illegal user access to the website’s data. There are a few ways you can protect yourself from such attacks. first way is to disallow HTML because then there is no possible way to allow any JavaScript to execute.

Tip 5: Protect you database against SQL Injection

SQL injection is a well know security attacks on the web. Actually SQL injection attacks occur when data goes unchecked and the application does not escape characters used in SQL strings such as single quotes (‘) or double quotes (“).

But PHP offers few tool to help protect your database input. when you connect with database, you can use these functions. The mysqli_real_escape_string function is used when connected to the database.
$username = mysqli_real_escape_string( $GET[‘username’] );
mysql_query( “SELECT * FROM tbl_employee WHERE username = ‘”.$username.“‘”);

In this brief note, I have just explain few major security hole that we often ignore in PHP Application development. But it is totally up to the developer that they make themselves aware about web security and most common attacks. Hope it will be helpful for you. Please don’t forget to share your useful comments with us. Thanks!

 


Leave a Reply

Your email address will not be published. Required fields are marked *