Menu
  • Set Below Code in PHP.ini file.
    Log_errors = On
    Display_errors = Off
  • Set Below Code in Configuration file.
    define('DEBUG',true);
    if(DEBUG ==true)
    {
    ini_set('display_errors','On');
    error_reporting(E_ALL);
    }
    else
    {
    ini_set('display_errors','Off');
    error_reporting(0);
    }

Tip 2: Validate Input

  • The inputs that are coming from the users needs to be validated from server side as well as client side. The inputs come in the form of POST or GET. Always use regular expressions in validation to avoid blank entries in the database.
  • Check the ‘type’ of the data
  • Check range of numbers
  • Check length of strings
  • Check emails , urls , dates to be valid
  • Ensure that data does not contain unallowed characters.

For Example,if Month value is not valid

if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['month'] ) )
{
echo “”; // handle error
}

Tip 3: Protecting Against Sql Injection

  • To perform your database queries, one should be using PHP Data Objects(PDO). With parameterized queries and prepared statements (Store Procedure), you can prevent SQL injection.
  • Take a look at the following example:

    <?php
    $sql = "SELECT * FROM users WHERE name=:name and age=:age";
    $stmt = $db->prepare($sql);
    $stmt->execute(array(":name" => $name, ":age" => $age));  ?>
    
  • The code given above has two parameters named :name and :age. Prepare() is the method which informs the database engine to pre-compile the query and attach the values to the named parameters later. When execute() is called, the query is executed with the actual values of the named parameters. By coding this way, the attacker on the SQL wont be able to inject a malicious query because the queries are already precompiled and the database will not accept it. Hence a secure database can be achieved.
  • mysql_real_escape_string :- The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement

Tip 4: Disable PHP’s Bad Features

  • Global Variables (Register Globals)
  • Using the PHP feature ‘Register Globals’ can hamper the objective of maintaining programming safety. As soon as this feature is activated in the PHP configuration file, even an uninitialized variable can lead to a damaging security flaw and the height is almost anyone can seize administrative control. To deal with this situation, disable Register Globals, ensure that you initialize variables as well as use localized variables too within the program.
  • If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.
  • Unfortunately, we cannot disable register_globals from the script side (using ini_set, like we normally might), but we can use an .htaccess files to do this.
  • Set Below Code in .htaccessfile for disabling.
    php_flagregister_globals 0
  • Set Below Code in php.ini file (if you have access for the same) for disabling.
    register_globals = Off

Tip 5: Protect Against XSS Attacks

  • Cross Site Scripting has to be protected in order to protect a very simple attack on the website. PHP Application which allows the user inputs may come across a situation where the user placed a malicious script as per the example below into your application.
  • Here is an example of what an XSS attacker might submit to an application:
    <script>window.location.href='http://www.bad-location.com';</script>
  • What the script means is, it will hijack every user who visits that output page and send them to an unwanted page. This type of attack can be eliminated by using proper techniques to validate user input data and not allowing specific types of data.
  • Few functions to filter/validate data :
    htmlentities() ,strip_tags () , utf8_decode (), htmlspecialchars() , ctype_digit() , ctype_alnum(),
    stripslashes() , str_replace()

Tip 6: Avoid Short tags

  • <? and <?= are called short open tags, and are not always enabled.
  • PHP 5.3.0, they are disabled by default, however if they are enabled Set Below Code in PHP.ini file.
    short_open_tag = Off
  • Your Application will not work if they are not enabled.

Tip 7:Protect Against CSRF Attacks

  • CSRF stands for Cross Site Request Forgery. The attacker is the remote machine which is trying to access the cookies or some other means of a normal legitimate user. For example when the user is trying to comment on the website, the login information is primarily stored in the cookies and there is every possibility that the cookies can be accessed by remote server who is a malicious user. This is why it is imperative to use filters when requesting for random information.
  • Lets say a certain url in the application performs some database changes,
    update_info.php?id=123
    delete_record.php?id=123
  • A hacker can setup a webpage with the following piece of code
    <image(tag) source(tag)=”http://www.original-application.com/delete_record.php?id=123″ alt=”” />
  • Ask the user to open this webpage. Now since the user is logged into the application the url will be triggered and whatever action necessary would be taken by the script.So basically a hacker has made the request through the user. This is “request forgery”.
  • Solution is to, enable the server to identify each request with a key/random value.

Tip 8:Securing the session

  • Regenerate Session ID ( function:— session_regenerate_id(); )
  • Lock the user agent during a session
    //Function to check if user is logged in or not

    functioncheck_login_status()
    {
    if($_SESSION['logged'] == true and$_SESSION['old_user_agent'] == $_SERVER['HTTP_USER_AGENT'])
    {returntrue;}
    returnfalse;
    }
    if(!check_login_status()){ logout();}
  • Lock the IP of a session
    $user_agent= @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
  • Store sessions in database
  • By default sessions are stored in files. Many applications are hosted on shared hosting environments where the session files are saved to /tmp directory. This directory may be readable to other users as well. If unencrypted the session information will be plain text in the file :
    userName|s:5:”ngood”;accountNumber|s:9:”123456789″;
  • Store sessions in database. Sessions stored inside database are not visible like files. They are only available to the application using it.

Tip 9:Setup correct directory permissions

  • Directories should have proper permissions with regard to the need of being writable or not. Keep a separate directory for temp files, cache files and other resource files and mark them writable as needed. Also directories (like temp) which can contain resource files, or files with other information should be guarded well and be totally inaccessible to the outside web.
  • Use htaccess to block all access to such directories( deny from all )

Tip 10:Password Security

  • $salt = 'SUPER_SALTY';
    $hash = md5($password . $salt);

     

Nisarg Mehta Nisarg Mehta

Nisarg Mehta, CEO & Chairman of Techtic Solutions, is the vision of the company. Nisarg is active in operations in his daily routine as he is one of the key decision makers in terms of technological advancements of the company. He is a friendly leader with hardworking, motivating, visionary and passionate personality.

Join over 10,000 people who
love best articles, and tips.

Relevant Blog

Why Building Travel MVP Makes More Business Sense
Shreyansh Shah

Why Building Travel MVP Makes More Business Sense

Published on Jul 10, 2019 by Shreyansh Shah

Travel has always been one of the booming industries, thanks to the never-ending quench of travel enthusiasts, Leisure travel is also considered to be one […]

Read More
Start A Project

Let's Start With Discovery Session!

Please share your contact information, for us to connect with you and offer you a free discovery session about your digital product.