PHP is the most popular programming language for developing web applications but unfortunately it is hardly the most secure one. Some of the security issues stem from the language itself because PHP was designed to be easy and powerful rather than secure but many other issues stem from poor coding practices and neglect for basic security principles.
There are many ways in which you can (and should) make your PHP applications secure. Some of them are unique to the language, while others apply to almost any Web programming language. Here are some of the most important steps you can make in order to fix PHP vulnerabilities, so your site won’t get hacked easily.
Make SQL Injection Difficult
SQL Injection is a common PHP vulnerability and it is one of the most exploited programming mistakes. SQL injection attacks are possible when data is not checked and/or when characters used in SQL strings (i.e. single quotes (’) or double quotes (”)) are not escaped. This allows to execute SQL queries with malicious code from the user and the consequences can be really devastating.
Luckily, PHP offers some tools to make SQL injections more difficult. The first approach is to use mysql_real_escape_string and the second is to use Portable Data Objects (PDO). mysql_real_escape_string allows to prepend special characters, so that they are not sent directly to the MySQL database. You should use /mysql_real_escape_string on all input variables that are sent to the MySQL database.
The second approach – PDO – adds an abstraction layer and this way makes your code more secure. The role of PDO is to prepare a statement for execution and to return a statement object.
Check for Possible Cross-Site Scripting Vulnerabilities
Cross-Site Scripting (XSS) is another serious PHP vulnerability you can deal with relatively easily. XSS is possible when you have improperly escaped user input that is later output as HTML. In this case an attacker can insert arbitrary HTML code (including Javascript) and alter the normal behavior of the page. XSS is used for stealing data from users.
If in your code you use the htmlspecialchars() function to mark any output you do not want to be considered HTML output, it will be more difficult for an attacker to execute an XSS attack.
Don’t Forget File Inclusion
File inclusion attacks are the most dangerous type of PHP vulnerabilities because they allow an attacker to include a random file to be executed on your server. One of the reasons for this is that the register_globals directive is set to on and as a result unchecked input variables are used. If you are careful how you use include() functions in PHP, you can prevent this type of attacks. Some experts even recommend to trash include statements at once and use switch statements with hard coded strings instead.
Initialize Variables
If you are new to PHP but you are familiar with other programming languages, you might wonder why we give this recommendation. The reason is that unlike other languages, in PHP it is not mandatory to initialize variables before you use them. Yes, it might be easier to code in that manner but every uninitialized variable is a security risk. This is why you should always initialize your variables.
Make Sure That the register_globals Directive is OFF
We already mentioned that the register_globals directive is the main culprit for file inclusion attacks but it is not the evils this directive can do to you don’t end with file inclusion attacks. The directive itself is not a security risk but it is too easy to misuse and abuse and this is the reason why you should disable it.
If you are still using an old version of PHP, where the PHP directive register_globals is not set to OFF by default, you should immediately turn it off. This directive is removed from PHP 6, so you need to check for it only if you are using an earlier version.
Use Encryption
Encryption might not be related to PHP only but since your whole security collapses when confidential data is transferred in plain text over the Internet, this point belongs here. End-to-end encryption is best but if you have reasons not to do it, encrypt at least password exchanges and the transfer of sensitive data such as credit card numbers. When such sensitive data can be obtained by a hacker easily (because you left it unencrypted and every packet sniffer can capture it), this makes all your security obsolete. Why should somebody try to inject SQL or include files, when he or she could directly get the admin password you send in plain text over the Internet and do with your site whatever he or she wants?
Use Tools to Test Your PHP Code for Vulnerabilities
Following secure practices when coding is important but one more level of checks is never too much. While it is best to manually review your PHP code for errors, which could compromise the security of the site where the code is deployed, in practice this is virtually impossible to do.
Even if you had the time to manually test your PHP code, this is pointless to do because there are some great tools, which will help you find PHP vulnerabilities. Three of the best tools are PhpSecInfo, PHP Security Scanner, and Spike PHP Security Audit Tool. You can try them and see what they will report.
We wish we could say that if you follow the steps above, all PHP vulnerabilities will go away and your site will never be hacked. Unfortunately, this is not so. No matter what you do to fix vulnerabilities and protect your site, you can never be sure that there isn’t a single vulnerability through which your site will get hacked. However, if you don’t fix the known vulnerabilities, you are simply inviting hackers.
This is why, you should always keep an eye on possible vulnerabilities in PHP and outside it and fix them asap. If you want to learn more about PHP vulnerabilities and how to fix them, the PHP Security manual is a must read. Another good tutorial with lot of examples about common PHP vulnerabilities and how to fix them can be found here.
PHP hosting
Now a days web hosting companies are providing with PHP hosting packages, Its much similar to the usual hosting except with few additional features dedicated for PHP only. You can go through web hosting search where more info on PHP hosting has been provided.
Loading ...
