Tips for Creating Secure PHP Applications
PHP is considered an open-source scripting language. Vizteck is giving you tips for creating secure PHP Applications through this guide!
Technology
January 28, 2014
Babar
To have a secure PHP application, one should use a proper error-reporting application. When error reporting is used during app development, it helps find spelling mistakes in the variables, detect incorrect function usage, and many other errors. Before the site goes live, it is better to hide the error reporting application because it contains information like the software installed, the installed folder, and other sensitive information which is visible to the audience.
error_reporting(0);
Most applications allow users to submit their input. Once submitted, these can be displayed on the web as comments, threads or blog posts in HTML code form. Accepting HTML input is dangerous as it can execute JavaScript to create havoc in the app. If one hole is left open, cookies could also be hijacked. Hijacking the cookie will allow access to a real account, through which data can be copied and illegally used. To prevent such attacks HTML can be blocked from addiction. Doing this will affect formatting, which won’t suit forums or blogs.
SQL injection is the most common security attack. It occurs when data goes unchecked, and the app isn’t able to escape characters used in SQL strings such as single quotes or double quotes. It is important to protect them otherwise users will be able to exploit them by making queries always true thereby tricking the login systems.
prepare($sql);$stmt->execute (array("uname" => $name, "uage" => $age));?>
Session information gets saved to a temp directory. If you are using a shared hosting server, a hacker can write a script and read the session data. Sensitive information like passwords or credit card numbers should never be saved in a session. Encrypting the information stored in the session helps to safeguard it. This makes the data unreadable but doesn’t solve the problem.
Input validation is a great way to protect data. Most of the time, it is known what the range of the input data will be. Validating the input will allow only certain data to be input. For example, if a birthday app is created, the month should be accepted as a digit between 1-12, the day between 1-31, and the year in YYYY format.
if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['newmonth'] ) ){ // handle error}if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['newday'] ) ){ // handle error}if ( ! preg_match( "/^[0-9]{4}$/", $_GET['newyear'] ) ){ // handle error}
Output filtering is also important. Avoiding the wrong output characters will help prevent page rendering breakage. This also blocks JavaScript attacks injected by malicious users. The following functions are helpful for cleaning up text:
htmlspecialchars(): It converts the special HTML characters into entitieshtmlentities(): It converts all the possible characters into HTML entitiesstrip_tags(): It removes all the HTML tags used in a string
The two most common methods to send data to a PHP application are ‘GET’ and ‘POST’. ‘GET’ adds variables at the end of URL’s like http://www.myfirstexample.com/process.php?action=delete&id=12345. ‘POST’ sends variables in the body of the request which isn’t visible to the user. ‘POST’ is perfect for use in a potentially dangerous action like deleting since ‘GET’ allows easy access to a URL.
img src="http://www.myfirstexample.com/process.php?action=delete&id=12345" alt="" />