• Vizteck Author

Tips for Creating Secure PHP Applications

Updated: May 13, 2020

To have a secure PHP application, one should use a proper error reporting application. When error reporting is used during app development, it helps find spelling mistakes in the variables, detect incorrect function usage, and many other errors. Before the site goes live, it is better to hide the error reporting application because it contains information like the software installed, the installed folder, and other sensitive information which is visible to the audience.


Cross Site Scripting (XSS) Attacks in User Input

Most applications allow users to submit their input. Once submitted, these can be displayed on the web as comments, threads or blog posts in HTML code form. Accepting HTML input is dangerous as it can execute JavaScript to create havoc in the app. If one hole is left open, cookies could also be hijacked. Hijacking the cookie will allow access to a real account, through which data can be copied and illegally used. To prevent from such attacks HTML can be blocked from addition. Doing this will affect formatting, which won’t suit forums or blogs.

Protecting against SQL Injection

SQL injection is the most common security attack. It occurs when data goes unchecked, and the app isn’t able to escape characters used in SQL strings such as single quotes or double quotes. It is important to protect them otherwise users will be able to exploit by making queries always true thereby tricking the login systems.

prepare($sql);$stmt->execute (array("uname" => $name, "uage" => $age));?>

Protecting Session Data

Session information gets saved to a temp directory. If you are using a shared hosting server, a hacker can write a script and read the session data. Sensitive information like passwords or credit card numbers should never be saved in a session. Encrypting the information stored in the session helps to safeguard it. This makes the data unreadable, but doesn’t solve the problem.

Validate Input

Input validation is a great way to protect data. Most of the time, it is known what the range of the input data will be. Validating the input will allow only certain data to be input. For example, if a birthday app is created, month should be accepted as a digit between 1-12, day between 1-31, and year in YYYY format.

if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['newmonth'] ) ){ // handle error}if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['newday'] ) ){ // handle error}if ( ! preg_match( "/^[0-9]{4}$/", $_GET['newyear'] ) ){ // handle error}

Output Filtering

Output filtering is also important. Avoiding the wrong output characters will help prevent page rendering breakage. This also blocks JavaScript attacks injected by malicious users. The following functions are helpful for cleaning up text:

htmlspecialchars(): It converts the special HTML characters into entitieshtmlentities(): It converts all the possible characters into HTML entitiesstrip_tags(): It removes all the HTML tags used in a string

Use POST for Dangerous Actions

The two most common methods to send data to a PHP application are ‘GET’ and ‘POST’. ‘GET’ adds variables at the end of URL’s like http://www.myfirstexample.com/process.php?action=delete&id=12345. ‘POST’ sends variables in the body of the request which aren’t visible to the user. ‘POST’ is perfect for use in a potentially dangerous action like deleting since ‘GET’ allows easy access to a URL.

img src="http://www.myfirstexample.com/process.php?action=delete&id=12345" alt="" />

#Programming #Safety

13 views0 comments