110 likes | 327 Views
Techtic Solutions is a Website Design and Development company in India. 10 Tips for Building a Secure PHP Application share by our PHP developers. Feel free to share your reviews or feedback about these tips.
E N D
Tip 1: Use Proper Error Reporting/Handling • Set Below Code in PHP.ini file • Log_errors = On • Display_errors = Off • Set Below Code in Configuration file • define('DEBUG',true); • if(DEBUG ==true) • { • ini_set('display_errors','On'); • error_reporting(E_ALL); • } • else • { • ini_set('display_errors','Off'); • error_reporting(0); • } • The development process of the application can become very cumbersome when the errors are not handled properly. In other words if there are no error reports enabled then identifying the minor mistakes like spell checks, incorrect functions usage and many more mistakes can become very difficult. It is a great practice to enable error reporting before even starting the development process. Once the website goes live, just hide error reporting from displaying.
Tip 2: Validate Input • For Example,if Month value is not valid • if ( ! preg match( "/^[0-9]{1,2}$/", $_GET['month'] ) ) • { • echo “”; // handle error • } • The inputs that are coming from the users needs to be validated from server side as well as client side. The inputs come in the form of POST or GET. Always use regular expressions in validation to avoid blank entries in the database. • Check the ‘type’ of the data • Check range of numbers • Check length of strings • Check emails , urls , dates to be valid • Ensure that data does not contain un allowed characters.
Tip 3: Protecting Against Sql Injection • To perform your database queries, one should be using PHP Data Objects(PDO). With parameterized queries and prepared statements (Store Procedure), you can prevent SQL injection. • Take a look at the following example: <?php $sql = "SELECT * FROM users WHERE name=:name and age=:age"; $stmt = $db->prepare($sql); $stmt->execute(array(":name" => $name, ":age" => $age)); ?> • The code given above has two parameters named :name and :age. Prepare() is the method which informs the database engine to pre-compile the query and attach the values to the named parameters later. When execute() is called, the query is executed with the actual values of the named parameters. By coding this way, the attacker on the SQL wont be able to inject a malicious query because the queries are already precompiled and the database will not accept it. Hence a secure database can be achieved. • Mysql real escape string :- The mysql real escape string() function escapes special characters in a string for use in an SQL statement
Tip 4: Disable PHP’s Bad Features • Global Variables (Register Globals) • Using the PHP feature ‘Register Globals’ can hamper the objective of maintaining programming safety. As soon as this feature is activated in the PHP configuration file, even an uninitialized variable can lead to a damaging security flaw and the height is almost anyone can seize administrative control. To deal with this situation, disable Register Globals, ensure that you initialize variables as well as use localized variables too within the program. • If the application is running with register globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running. • Unfortunately, we cannot disable register globals from the script side (using ini set, like we normally might), but we can use an .htaccess files to do this. • Set Below Code in .htaccessfile for disabling php flagregister globals 0 • Set Below Code in php.ini file (if you have access for the same) for disabling register_globals = Off
Tip 5: Protect Against XSS Attacks • Cross Site Scripting has to be protected in order to protect a very simple attack on the website. PHP Application which allows the user inputs may come across a situation where the user placed a malicious script as per the example below into your application. • Here is an example of what an XSS attacker might submit to an application: <script>window.location.href='http://www.bad-location.com';</script> • What the script means is, it will hijack every user who visits that output page and send them to an unwanted page. This type of attack can be eliminated by using proper techniques to validate user input data and not allowing specific types of data. • Few functions to filter/validate data : htmlentities() ,strip_tags () , utf8_decode (), htmlspecialchars() , ctype_digit() , ctype_alnum(), stripslashes() , str_replace()
Tip 6: Avoid Short tags Tip 7: Protect Against CSRF Attacks • CSRF stands for Cross Site Request Forgery. The attacker is the remote machine which is trying to access the cookies or some other means of a normal legitimate user. For example when the user is trying to comment on the website, the login information is primarily stored in the cookies and there is every possibility that the cookies can be accessed by remote server who is a malicious user. This is why it is imperative to use filters when requesting for random information. • Lets say a certain url in the application performs some database changes, • update_info.php?id=123 • delete_record.php?id=123 • <? and <?= are called short open tags, and are not always enabled. • PHP 5.3.0, they are disabled by default, however if they are enabled Set Below Code in PHP.ini file short_open_tag = Off • Your Application will not work if they are not enabled.
Tip 8: Securing the session • Regenerate Session ID ( function:— session_regenerate_id(); ) • Lock the user agent during a session • //Function to check if user is logged in or not • functioncheck_login_status() • { • if($_SESSION['logged'] == true and$_SESSION['old_user_agent'] == $_SERVER['HTTP_USER_AGENT']) • A hacker can setup a webpage with the following piece of code • <image(tag) source(tag)=”http://www.original-application.com/delete_record.php?id=123″ alt=”” /> • Ask the user to open this webpage. Now since the user is logged into the application the url will be triggered and whatever action necessary would be taken by the script.So basically a hacker has made the request through the user. This is “request forgery”. • Solution is to, enable the server to identify each request with a key/random value.
{returntrue;} returnfalse; } if(!check_login_status()) { logout(); } • Lock the IP of a session $user_agent= @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']); • Store sessions in database • By default sessions are stored in files. Many applications are hosted on shared hosting environments where the session files are saved to /tmp directory. This directory may be readable to other users as well. If unencrypted the session information will be plain text in the file : userName|s:5:”ngood”;accountNumber|s:9:”123456789″; • Store sessions in database. Sessions stored inside database are not visible like files. They are only available to the application using it.
Tip 9: Setup correct directory permissions Tip 10: Password Security • $salt = 'SUPER_SALTY'; • $hash = md5($password . $salt); • Original Source URL : http://www.techtic.com/blog/10-tips-for-building-a-secure-php-application/ • Directories should have proper permissions with regard to the need of being writable or not. Keep a separate directory for temp files, cache files and other resource files and mark them writable as needed. Also directories (like temp) which can contain resource files, or files with other information should be guarded well and be totally inaccessible to the outside web. • Use htaccess to block all access to such directories( deny from all )
Thank You Techtic Solutions PHP Development Company India Mail. info@techtic.com USA: +1 201-793-8324 UK: +44 117 2308324 AUS: +61 280 909 320