PHP security tips


PHP is one of the most popular web programming languages today. The reason is it is easy to learn, and yet robust enough to successfully power even the most complicated applications.

This has its downsides. PHP community is large and very open, and often beginners learn wrong things or nothing at all about PHP security. PHP is very “forgiving” language and many users do not think about securing their applications. Securing a web site is all about quality coding and using defense techniques wisely.

Programmer must always be on alert and know form where the attack can come.

NEVER trust user input

I will repeat, never trust your users. This is an example of badly written code for logging in your users, and great example of SQL injection attack (taken from PHP manual):

// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST&#91;'username'&#93;}' AND password='{$_POST&#91;'password'&#93;}'";

// We didn't check $_POST&#91;'password'&#93;, it could be anything the user wanted! For example:
$_POST&#91;'username'&#93; = 'aidan';
$_POST&#91;'password'&#93; = "' OR ''='";

When this gets executed, the query looks like this:

SELECT * FROM users WHERE user='aidan' AND password='' OR ''=''

As the ”=” is always true, this guy is logged in even if he does not know the password.

My tip is to always escape user input before doing anything with it. The proper way to do above example is:

$username = mysql_real_escape_string($_POST&#91;'username'&#93;);
$password = mysql_real_escape_string($_POST&#91;'password'&#93;);
// Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='$username' AND password='$password'";

This way, the input gets escaped and harmless, and this simple doing gets you secured from most of the SQL related attacks.

XSS attacks

XSS attack or Cross site scripting is basically injecting malicious client script into a website. Or in other words, hacker sends you a link to a site that you are visiting, but it contains some malicious parameters in the query string. You click it and the vulnerable site allows the malicious code to execute in your browser and, for example, send your session or cookie data to attacker.

Defending is similar to SQL injection, you must filter the user (or hacker) input:

$variable = htmlentities($_GET['page'], ENT_QUOTES, 'UTF-8');
// or even more secure
$variable = strip_tags($_GET['page']);

After this, $variable is filtered of any HTML tags and safe for showing it on the output.

Error reporting

Nice feature of PHP is Error reporting. It is great for debugging and testing, but should always be kept off in production environment. If you show your PHP errors to users, they will know information about your environment. Hackers will always exploit this and try to produce PHP errors to get as many info as they can.

The solution is to turn off error reporting in production. I have a small function which I like to use, and when in production, I save errors in a file. So here it is:

} else {
	ini_set('log_errors', 'On');
	ini_set('error_log', ROOT.DS.'tmp'.DS.'logs'.DS.'error.log');

Basically I set a DEVELOPMENT_ENVIRONMENT constant and if it is set to false, all errors are written to file where I can see them and display_error id set to Off.

By following this few tips, you can build a robust and secure PHP application. Use this techniques as they could save your site.

About the author

Zvonko Biškup

A passionate web developer with more than 13 years experience in PHP and other web related technology. My main interest is WordPress and new PHP frameworks.
Owner of Influendo Programming.
Enjoys exploring new stuff and possibilities, using new technologies and just having fun developing awesome stuff.

  • Pingback: PHP basics – Forms()

  • WebbanditTen

    Can’t you just use strip_tags(); I find it a lot easier and faster to use in logins and $_get page loaders?

  • Raphael

    Hi! Your site is very nice! Great teaching, these techniques have helped me.

    It’s rare see good tips like these. Most of programmers don’t care about security, patterns, etc. Mainly, here, in Brazil. – We have the most mediocres professionals, here.

    Sorry my poor english.

    Thank you!
    And congratulations!