PHP is one of the most popular programming languages for the web. It helps the developers program the finest of applications and create new benchmarks in mobile and web development. However, the biggest concern with developing a PHP application is that of security, making the development of secured PHP applications a major challenge, specially, for the amateurs. In this article, we will provide you with 3 major tips that help you avoid some common PHP security pitfalls and development.
Tip1: Appropriate Error Reporting is must
Application error reporting is very helpful during the development process. Error reports does not just help you find spelling mistakes in the variables but also catch hold of any incorrect function usage.
However, once the website goes live, the same reporting that helped you during development, can turn against the security of your application by telling the users much more about your website than you may want them to know (for example the information pertaining to the software being run and the folder structure etc.). Before the website goes live, you should ensure to eliminate all such errors to keep such sensitive information under cover. This can be done by writing following lines on our applications.
For any errors still occurring, we still feel the need to stay updated about these. So, we need to ensure that all our errors are logged to a protected file, which can be done using a PHP function called as set_error_handler.
Tip 2: It is advisable to disable PHP’s features no longer in use
From the beginning days of PHP, the PHP’s designers regularly went on to include some features that were intended to make development easier. Or at least they thought of making it so! Some of these supposedly helpful features could as well turn out to have undesirable consequences. We are calling these as “bad features” because these allow data validation and created a pathway for bugs to finding their way into scripts. This is the reason why we suggest you to disable some of these features as one of the first things to do at the time of beginning the development process.
Note: These features may or may not be turned off for your website based on your host. If you are developing on your own computer or other similar local environment, then these probably won’t be turned off. Some of these features have been eliminated in PHP6, but are still present in PHP4 applications and are eventually, deprecated from the PHP5 applications onwards.
Register Globals (register_globals)
‘register_globals’ was basically meant for helping rapid application development involving a query string. The ‘register_globals’ statement allows us to access the value with $var instead of $_GET[‘var’] automatically. This might sound useful to us, but unfortunately, all variables in the code now include this property, so, it is now easy to get into PHP applications that do not protect against such undesirable consequence. The code snippet below is just one common example we will see in PHP scripts:
if( !empty( $_POST[‘username’] ) && $_POST[‘username’] == ‘test’ && !empty( $_POST[‘password’] ) && $_POST[‘password’] == “test123” )
$access = true;
If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.While it is not possible to disable register_globals from the script side (using ini_set, like in the normal case), but an .htaccess file can be used to do this. Apart from this, some hosts allow us to have a php.ini file on the server as well to do this.
Disabling with .htaccess
php_flag register_globals 0
Disabling with php.ini
register_globals = Off
It should be noted that if we plan to use a custom php.ini file that is not applicable to the entire server, we must ensure to include these declarations in every sub folder having PHP.
Tip 3: Keep an eye on the Cross Site Scripting (XSS) Attacks in User Input
To resolve this issue, you can have HTML mostly disabled except for some simple formatting allowed. This can be achieved by allowing just a select few of the HTML tags (without attributes) for example “strong” tag or “em” tag. Or, simply a few popular tags like”BBCode” or “BB Tags” that are commonly written on forums in the format of [b]test[/b]. The BBCode can also be implemented using pre-existing packages like HTML_BBCodeParser or by writing our own BBCode implementation with regular expressions and a series of ‘preg_replace’ statements.