Contact Us
A 101-103 Siddhivinayak Towers, Off S.G. Highway, Ahmedabad, Gujarat 380051

PHP Web Applications Security Steps

by Attune World Wide / /
PHP is one of the most popular programming languages for developing web applicationsand web services,but web development must assure that it could not be hacked easily.So let’s discuss some such types of criterias those are need to be taken care when developing any application with PHP:
1. SQL Injection
My SQl is most common database server with PHP nowadays so there is need of SQL Injection while fetching some sensitive information from database.
Let’s use a common example.Many applications uses this most common query while checking login credentials into the database input entered into a form by user, like :
the above does not look like it could harm the web app. But just think what output comes when user enters something like ‘ OR 1=1 # into the “username” input box in a login form and submit it.
now query to be executed like this: SELECT username, password FROM users WHERE username = ” OR 1=1 #’ and password = ”
The # symbol means that in Mysql, following it to consider as commented code and hence compiler does not execute it. So an attacker can log into the system without need of actual credentials.
So, have a look to a solution:
which is a perfect solution for such type of attack.
2. Cross Site Scripting (XSS) Attacks in User Input
A web application usually accepts input from users and displays it. Some web applications includes modules like comments,messages,articles, blog posts,threads those needs HTML editable input field. When allowing HTML in input field can be easy for hackers to crack because that allows for javascript to be executed in unintended ways. Javascript can be executed and cookies could be hijacked.
A developer can think a solution by disallowing HTML together because there is no possible way to allow any javascript code.
However, if you do this then users can’t do formatting his/her data,formatting is most basic requirement in articles and blog applications . So, by allowing few selected HTML tags (without attributes) such as <strong> or <em> and others is best way to deal with it.
3. Global Variables
In PHP,, “register_globals”, is an option to use global variables by just setting them from php.ini, once you created them, then no need to create explicitly.
Consider the following code:
However, if a server has “register_globals” options set to on in php ini settings, then by adding “?authorizedUserFlag=1” to the URL of a website can give access to anyone what application gives to a particular logged in user to display information.
Fortunately, this can be prevented by setting “register_globals” to off.
The second one is ensuring the use of only variables those are initializing at beginning of script like adding”$authorizedUserFlag = 0;
4. Error Reporting
Error messages are needful for developers to solve bugs in web application and for attackers, might be useful to find out some information about an application like folder structure and database server credentials.
It is best way to prevent this by always turning off all the possible error reporting settings “error_reporting” to “0” in a production environment by .htaccess or php.ini file. While in development environment, developers can turn on in order to fix bugs.
5. Validate everything that application accepts at server side
All input data those received by an application is suspicious,even data received from 3rd party API. so it is best to practise server-side data validation of input data received from the application users.
Before any input data will be processed to a database, or return to display on website, server-side validation must be implemented by programmers.
Also when data will be set in session or cookies on server or client side,data must be validated when these data have been accessed to use it.
Also filter_var() & filer_input() functions should be used to validate variables and external variables(ex. form input) respectively.
So finally we can say that if web applications should be developed with taken care of above security steps and some others like prevention against Cross Site Request Forgery(CSRF) attacks, protection to file system, securing PHP server settings,limiting script functionalities, we can easily prevent attacks from hackers.

Some More Stuffs You May Like to Read

Future of E-commerce era – Magento

Joomla Integration with extended search functionality

What is Moodle and what can it do for your business?

Need Some help With PHP? Let us Know

About Attune World Wide

What you can read next

Leave a Reply

Your email address will not be published. Required fields are marked *

4 − two =

Recent Posts