- Artificial Intelligence
- Enterprise Portal
- Enterprise CMS
- Enterprise Integration
- Enterprise Processes
- Enterprise SOA
- Enterprise Cloud
- Internet of Things
- Mobile & Game Development
- Managed Cloud Services
- Personalized E-Commerce
- Robotics Process Automation
- Hire Resources
- Mule ESB
- Activiti BPM
- Amazon Web Services
- PHP Framework
- Mobile Development
- Angular JS
- Online Training
- Corporate Training
- Master Series
- Our Trainers
PHP Web Applications Security Steps
/ Thursday, August 6th, 2015 / Published in Blogs
PHP is one of the most popular programming languages for developing web applicationsand web services,but web development must assure that it could not be hacked easily.So let’s discuss some such types of criterias those are need to be taken care when developing any application with PHP:
1. SQL Injection
My SQl is most common database server with PHP nowadays so there is need of SQL Injection while fetching some sensitive information from database.
Let’s use a common example.Many applications uses this most common query while checking login credentials into the database input entered into a form by user, like :
the above does not look like it could harm the web app. But just think what output comes when user enters something like ‘ OR 1=1 # into the “username” input box in a login form and submit it.
now query to be executed like this: SELECT username, password FROM users WHERE username = ” OR 1=1 #’ and password = ”
The # symbol means that in Mysql, following it to consider as commented code and hence compiler does not execute it. So an attacker can log into the system without need of actual credentials.
So, have a look to a solution:
which is a perfect solution for such type of attack.
2. Cross Site Scripting (XSS) Attacks in User Input
However, if you do this then users can’t do formatting his/her data,formatting is most basic requirement in articles and blog applications . So, by allowing few selected HTML tags (without attributes) such as <strong> or <em> and others is best way to deal with it.
3. Global Variables
In PHP,, “register_globals”, is an option to use global variables by just setting them from php.ini, once you created them, then no need to create explicitly.
Consider the following code:
However, if a server has “register_globals” options set to on in php ini settings, then by adding “?authorizedUserFlag=1” to the URL of a website can give access to anyone what application gives to a particular logged in user to display information.
Fortunately, this can be prevented by setting “register_globals” to off.
The second one is ensuring the use of only variables those are initializing at beginning of script like adding”$authorizedUserFlag = 0;
4. Error Reporting
Error messages are needful for developers to solve bugs in web application and for attackers, might be useful to find out some information about an application like folder structure and database server credentials.
It is best way to prevent this by always turning off all the possible error reporting settings “error_reporting” to “0” in a production environment by .htaccess or php.ini file. While in development environment, developers can turn on in order to fix bugs.
5. Validate everything that application accepts at server side
All input data those received by an application is suspicious,even data received from 3rd party API. so it is best to practise server-side data validation of input data received from the application users.
Before any input data will be processed to a database, or return to display on website, server-side validation must be implemented by programmers.
Also when data will be set in session or cookies on server or client side,data must be validated when these data have been accessed to use it.
Also filter_var() & filer_input() functions should be used to validate variables and external variables(ex. form input) respectively.
So finally we can say that if web applications should be developed with taken care of above security steps and some others like prevention against Cross Site Request Forgery(CSRF) attacks, protection to file system, securing PHP server settings,limiting script functionalities, we can easily prevent attacks from hackers.