PHP is the most popular programming language for developing web applications but unfortunately it is hardly the most secure one. Some of the security issues stem from the language itself because PHP was designed to be easy and powerful rather than secure but many other issues stem from poor coding practices and neglect for basic security principles.

There are many ways in which you can (and should) make your PHP applications secure. Some of them are unique to the language, while others apply to almost any Web programming language. Here are some of the most important steps you can make in order to fix PHP vulnerabilities, so your site won’t get hacked easily.

Make SQL Injection Difficult

SQL Injection is a common PHP vulnerability and it is one of the most exploited programming mistakes. SQL injection attacks are possible when data is not checked and/or when characters used in SQL strings (i.e. single quotes (’) or double quotes (”)) are not escaped. This allows to execute SQL queries with malicious code from the user and the consequences can be really devastating.

Luckily, PHP offers some tools to make SQL injections more difficult. The first approach is to use mysql_real_escape_string and the second is to use Portable Data Objects (PDO). mysql_real_escape_string allows to prepend special characters, so that they are not sent directly to the MySQL database. You should use /mysql_real_escape_string on all input variables that are sent to the MySQL database.

The second approach – PDO – adds an abstraction layer and this way makes your code more secure. The role of PDO is to prepare a statement for execution and to return a statement object. Read more…

• No Related Post