Currently PHP is one of the most popular programming languages for the web. But like other scripting languages, PHP also has few security holes that can make our application insecure. In this tutorial, we will take a look at useful tips to help you avoid some common PHP security problems.
Tip 1: Use Proper Error Reporting
During development we often forget to make error reporting on which means weak levels of error reporting in development environments, which is unfortunate, because proper error reporting is not only one of the best debugging tools available to a developer, but also an excellent way to reveal significant security flaws in code before they become a threat in the real world.
There are many ways to enable error reporting. you can enable error reporting from inside the configuration file php.ini or you can set it at runtime.
Enabling Error Reporting
Disabling Error Reporting
Tip 2: Disable PHP’s weak Features
There are few PHP’s features that’s need to be set OFF. These features are exists in PHP4 applications and are only deprecated in PHP5 applications. But finally removed in the upcoming PHP6.
Register Globals (register_globals)
Actaully when register_globals is set to ON. it registers Environment, GET, POST, COOKIE or Server variables as global variables. you don’t need to write $_POST['username'] to access the posted ‘username’ variable you can simply use ‘$username’ to access the $_POST['username'].
Now you will be thinking that making register_globals on is easy for us why not to use? Yes it is easy for you but it creates many security hole in your application and also creates the conflicts between variables.
Below is the common example you will see in PHP scripts:
- if( !empty( $_POST['username'] ) && $_POST['username'] == ‘test123′ && !empty( $_POST['password'] ) && $_POST['password'] == “pass123″ )
- $access = true;
If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.
Register Globals Disabling with .htaccess
Disabling with php.ini
Disable Magic Quotes like magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase
Magic Quotes is a feature meant to save programmers the trouble of using addslashes() and other similar security features in their code. But It is recommended that you disable this
feature and use proper variable validation instead
Disabling with .htaccess
Disabling with php.ini
- magic_quotes_gpc = Off
- magic_quotes_runtime = Off
- magic_quotes_sybase = Off
Tip 3: Validate User Input
You can also validate user input. you actually already
know what kind of data you are expecting on input. So the simplest way
to protect yourself against attacks is to make sure your users can only
enter the appropriate data.
Tip 4: Avoid Cross Site Scripting Attacks in User Input
Tip 5: Protect you database against SQL Injection
SQL injection is a well know security attacks on the web. Actually SQL injection attacks occur when data goes unchecked and the application does not escape characters used in SQL strings such as single quotes (‘) or double quotes (“).
But PHP offers few tool to help protect your database input. when you connect with database, you can use these functions. The mysqli_real_escape_string function is used when connected to the database.
- $username = mysqli_real_escape_string( $GET['username'] );
- mysql_query( “SELECT * FROM tbl_employee WHERE username = ’”.$username.“‘”);
In this brief note, I have just explain few major security hole that we often ignore in PHP Application development. But it is totally up to the developer that they make themesleves aware about web security and most common attacks. Hope it will be helpful for you. Please don’t forget to share your useful comments with us. Thanks!