What do Baidu, Wikipedia, Twitter, and Facebook have in common? All of them use PHP technology. W3Techs did a survey and revealed that many web applications and websites prefer to use PHP as opposed to ASP.NET or Java. PHP is popular for many reasons. It is easy and cheap to host PHP applications. You can do PHP development using open source software, which means you do not incur additional costs in acquiring additional software. Also, PHP connects with many databases. Even though developers make many media websites, education portals, and e-commerce social networking sites using PHP technology, there are a number of security issues you need to consider. This article highlights the security tips you should follow in PHP usage.
1. Validation of input data
2. Escape query data
Do not stick with any information that takes you in an inquiry, and more importantly ignore SQL inquiries in the application. Make use of a certain type of deliberation such as active record. A slight SQL injection weakness can help a hacker to take over the entire framework. SQL map takes a few minutes to control a given framework. Therefore, if you have a single page with an SQL infusion, this can make the entire site defenseless. If there is a parameter that you have used in an SQL query and you do not escape it, you have a left a door open for hackers to interrupt your system. Therefore, beware of SQL queries. Ensure you escape every id parameter through using suitable functions such as mysqli_real_escape_string() before you put them in your query.
3. Guard against XSS attacks
4. SQL injection
This is a code injection technique that hackers use to attack applications that are data-driven. Hackers insert malicious SQL statements into the user entry fields. They use this information to get secret information from the database, and they can delete or modify any important information. For such kind of hacking to occur, attackers use any input from users and augment it with some parameters to come up with an SQL query that can harm the database. Though obtaining such information is not an easy venture, if your database is open source, hackers will have an easy time. You can prevent this by:
Use libraries such as MySQLi Extension (MySQL Improved) or PDO that help you with statements that have bound variables.
Delete all idle procedures from your site.
Ensure you perform data validation and confirm that every input from users has the anticipated data type.
Avoid usage of super user access to connect to your site. Always have customized users, and limit their privileges.
Ensure that you strongly type query APIs with parameters, and with some substitution markers.
5. Cross Site Request Forgery (CSRF) attacks
One-Click attack, session riding, or Cross Site Request Forgery (CSRF) is a type of a web app susceptibility where victims inadvertently run a script in their browser when they are using a certain site. Session riding attacks happen if there is data coming into a website through certain users’ requests. CSRF exploits the trust that a client has for a certain site. The hacker uses a browsing website and special techniques to get access to sensitive data from other users. Such vulnerability is as a result of wrong assumptions and poor coding. To avoid such vulnerability:
Use open libraries such as NoCSRF, CSRF Protection, anticsurf, and Clfsrpm.net to protect your website from CSRF susceptibility.
Use Unpredictable Synchronizer Token Pattern. This method helps a website to generate a random token which associates with the current session of a user as a hidden value. Once the site submits the form, your site can verify if the random token has come through a request, and if it is right.
Use Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA) verification in forms to avoid CSRF. CAPTCHA that comes from the side of the client is legitimate since no hacker can guess its pattern. However, this gives the user another burden, and it can destroy the overall web experience of the user.
The application must ascertain the referral header. The website should block any request that comes from another domain. You can do away with vulnerability if the site allows requests from a similar domain. If there are HTTPS connections, this method fails since it omits the referrer.
6. Protect session data
In shared hosting, you can get a script from someone that reads the session effectively. The session data has a temporary directory. In this way, ensure you do not expose sensitive data such as credit card numbers and passwords in a session. A perfect way to monitor information is to assess the data stored in the session. This is not fully secure since encoded information is not under protection. Keep your session information in a different database. Use session_set_save_handler() from PHP to hold information in your own manner.
7. User data
Any developer who uses PHP must ascertain that all user-centered data is valid in logic, size, and type. Sanitize the data before you use it in the system. PHP came up with filter_var that makes it easy to validate data. Filter_var performs data sanitization and data validation. In data validation, the function determines if the data is proper, and for data sanitization, it eliminates all illegal characters.
8. Proper handling of errors
You should know all the errors that occur as you develop your application. When end users can access the application, it is important to hide all errors. Any open error can make the site vulnerable to attacks. If you need to avoid this, configure your server differently. Turn off all display_start_up_errors, and display_errors. Ensure that log_errors and error-reporting are on, so you can identify them as you hide other errors from end users.
Understand that web application security is an endless process. All PHP developers should update themselves about all new forms of exploits, and new flaws. Ensure you do not trust user input, and guard your database and file system. Visit CGISecurity.Net, PHP Manual Security Section, OWASP, and The PHP Security Consortium for more guidance about PHP security.
Anything more to add? If you have suggestions about PHP security, share them in the comments section below!