PHP is one of the most popular web programming languages today. The reason is it is easy to learn, and yet robust enough to successfully power even the most complicated applications.
This has its downsides. PHP community is large and very open, and often beginners learn wrong things or nothing at all about PHP security. PHP is very “forgiving” language and many users do not think about securing their applications. Securing a web site is all about quality coding and using defense techniques wisely.
Programmer must always be on alert and know form where the attack can come.
Table of Contents
NEVER trust user input
I will repeat, never trust your users. This is an example of badly written code for logging in your users, and great example of SQL injection attack (taken from PHP manual):
[code lang=”php”]
[/code]
When this gets executed, the query looks like this:
[code lang=”sql”]
SELECT * FROM users WHERE user=’aidan’ AND password=” OR ”=”
[/code]
As the ”=” is always true, this guy is logged in even if he does not know the password.
My tip is to always escape user input before doing anything with it. The proper way to do above example is:
[code lang=”php”]
[/code]
This way, the input gets escaped and harmless, and this simple doing gets you secured from most of the SQL related attacks.
XSS attacks
XSS attack or Cross site scripting is basically injecting malicious client script into a website. Or in other words, hacker sends you a link to a site that you are visiting, but it contains some malicious parameters in the query string. You click it and the vulnerable site allows the malicious code to execute in your browser and, for example, send your session or cookie data to attacker.
Defending is similar to SQL injection, you must filter the user (or hacker) input:
[code lang=”php”]
$variable = htmlentities($_GET[‘page’], ENT_QUOTES, ‘UTF-8’);
// or even more secure
$variable = strip_tags($_GET[‘page’]);
[/code]
After this, $variable is filtered of any HTML tags and safe for showing it on the output.
Error reporting
Nice feature of PHP is Error reporting. It is great for debugging and testing, but should always be kept off in production environment. If you show your PHP errors to users, they will know information about your environment. Hackers will always exploit this and try to produce PHP errors to get as many info as they can.
The solution is to turn off error reporting in production. I have a small function which I like to use, and when in production, I save errors in a file. So here it is:
[code lang=”php”]
if (DEVELOPMENT_ENVIRONMENT == true) {
error_reporting(E_ALL);
ini_set(‘display_errors’,’On’);
} else {
error_reporting(E_ALL);
ini_set(‘display_errors’,’Off’);
ini_set(‘log_errors’, ‘On’);
ini_set(‘error_log’, ROOT.DS.’tmp’.DS.’logs’.DS.’error.log’);
}
[/code]
Basically I set a DEVELOPMENT_ENVIRONMENT constant and if it is set to false, all errors are written to file where I can see them and display_error id set to Off.
By following this few tips, you can build a robust and secure PHP application. Use this techniques as they could save your site.
Pingback: PHP basics – Forms
Can’t you just use strip_tags(); I find it a lot easier and faster to use in logins and $_get page loaders?
Hi! Your site is very nice! Great teaching, these techniques have helped me.
It’s rare see good tips like these. Most of programmers don’t care about security, patterns, etc. Mainly, here, in Brazil. – We have the most mediocres professionals, here.
Sorry my poor english.
Thank you!
And congratulations!
Comments are closed.