10 Tips for Building a Secure PHP Application

Webbing Wednesdays Week #10

Tips for Building a Secure PHP Application

Tip 1: Use Proper Error Reporting/Error Handling

    • The development process of the application can become very cumbersome when the errors are not handled properly. In other words if there are no error reports enabled then identifying the minor mistakes like spell checks, incorrect functions usage and many more mistakes can become very difficult. It is a great practice to enable error reporting before even starting the development process. Once the website goes live, just hide error reporting from displaying.

  • Set Below Code in PHP.ini file.
    Log_errors = On
    Display_errors = Off
  • Set Below Code in Configuration file.
    define('DEBUG',true);
    if(DEBUG ==true)
    {
    ini_set('display_errors','On');
    error_reporting(E_ALL);
    }
    else
    {
    ini_set('display_errors','Off');
    error_reporting(0);
    }

Tip 2: Validate Input

  • The inputs that are coming from the users needs to be validated from server side as well as client side. The inputs come in the form of POST or GET. Always use regular expressions in validation to avoid blank entries in the database.
  • Check the ‘type’ of the data
  • Check range of numbers
  • Check length of strings
  • Check emails , urls , dates to be valid
  • Ensure that data does not contain unallowed characters.

For Example,if Month value is not valid

if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['month'] ) )
{
echo “”; // handle error
}

Tip 3: Protecting Against Sql Injection

  • To perform your database queries, one should be using PHP Data Objects(PDO). With parameterized queries and prepared statements (Store Procedure), you can prevent SQL injection.
  • Take a look at the following example:

    <?php
    $sql = "SELECT * FROM users WHERE name=:name and age=:age";
    $stmt = $db->prepare($sql);
    $stmt->execute(array(":name" => $name, ":age" => $age));  ?>
    
  • The code given above has two parameters named :name and :age. Prepare() is the method which informs the database engine to pre-compile the query and attach the values to the named parameters later. When execute() is called, the query is executed with the actual values of the named parameters. By coding this way, the attacker on the SQL wont be able to inject a malicious query because the queries are already precompiled and the database will not accept it. Hence a secure database can be achieved.
  • mysql_real_escape_string :- The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement

Tip 4: Disable PHP’s Bad Features

  • Global Variables (Register Globals)
  • Using the PHP feature ‘Register Globals’ can hamper the objective of maintaining programming safety. As soon as this feature is activated in the PHP configuration file, even an uninitialized variable can lead to a damaging security flaw and the height is almost anyone can seize administrative control. To deal with this situation, disable Register Globals, ensure that you initialize variables as well as use localized variables too within the program.
  • If the application is running with register_globals ON, a user could just place access=1 into a query string, and would then have access to whatever the script is running.
  • Unfortunately, we cannot disable register_globals from the script side (using ini_set, like we normally might), but we can use an .htaccess files to do this.
  • Set Below Code in .htaccessfile for disabling.
    php_flagregister_globals 0
  • Set Below Code in php.ini file (if you have access for the same) for disabling.
    register_globals = Off

Tip 5: Protect Against XSS Attacks

  • Cross Site Scripting has to be protected in order to protect a very simple attack on the website. PHP Application which allows the user inputs may come across a situation where the user placed a malicious script as per the example below into your application.
  • Here is an example of what an XSS attacker might submit to an application:
    <script>window.location.href='http://www.bad-location.com';</script>
  • What the script means is, it will hijack every user who visits that output page and send them to an unwanted page. This type of attack can be eliminated by using proper techniques to validate user input data and not allowing specific types of data.
  • Few functions to filter/validate data :
    htmlentities() ,strip_tags () , utf8_decode (), htmlspecialchars() , ctype_digit() , ctype_alnum(),
    stripslashes() , str_replace()

Tip 6: Avoid Short tags

  • <? and <?= are called short open tags, and are not always enabled.
  • PHP 5.3.0, they are disabled by default, however if they are enabled Set Below Code in PHP.ini file.
    short_open_tag = Off
  • Your Application will not work if they are not enabled.<!–?php tag cannot be disabled — so, it's safest to use, even if it is longer to write.

Tip 7:Protect Against CSRF Attacks

  • CSRF stands for Cross Site Request Forgery. The attacker is the remote machine which is trying to access the cookies or some other means of a normal legitimate user. For example when the user is trying to comment on the website, the login information is primarily stored in the cookies and there is every possibility that the cookies can be accessed by remote server who is a malicious user. This is why it is imperative to use filters when requesting for random information.
  • Lets say a certain url in the application performs some database changes,
    update_info.php?id=123
    delete_record.php?id=123
  • A hacker can setup a webpage with the following piece of code
    <image(tag) source(tag)=”http://www.original-application.com/delete_record.php?id=123&#8243; alt=”” />
  • Ask the user to open this webpage. Now since the user is logged into the application the url will be triggered and whatever action necessary would be taken by the script.So basically a hacker has made the request through the user. This is “request forgery”.
  • Solution is to, enable the server to identify each request with a key/random value.

Tip 8:Securing the session

  • Regenerate Session ID ( function:— session_regenerate_id(); )
  • Lock the user agent during a session
    //Function to check if user is logged in or not

    functioncheck_login_status()
    {
    if($_SESSION['logged'] == true and$_SESSION['old_user_agent'] == $_SERVER['HTTP_USER_AGENT'])
    {returntrue;}
    returnfalse;
    }
    if(!check_login_status()){ logout();}
  • Lock the IP of a session
    $user_agent= @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
  • Store sessions in database
  • By default sessions are stored in files. Many applications are hosted on shared hosting environments where the session files are saved to /tmp directory. This directory may be readable to other users as well. If unencrypted the session information will be plain text in the file :
    userName|s:5:”ngood”;accountNumber|s:9:”123456789″;
  • Store sessions in database. Sessions stored inside database are not visible like files. They are only available to the application using it.

Tip 9:Setup correct directory permissions

  • Directories should have proper permissions with regard to the need of being writable or not. Keep a separate directory for temp files, cache files and other resource files and mark them writable as needed. Also directories (like temp) which can contain resource files, or files with other information should be guarded well and be totally inaccessible to the outside web.
  • Use htaccess to block all access to such directories( deny from all )

Tip 10:Password Security

  • $salt = 'SUPER_SALTY';
    $hash = md5($password . $salt);

     

Advertisements

4 thoughts on “10 Tips for Building a Secure PHP Application

  1. https://www.techtic.com/blog/10-tips-for-building-a-secure-php-application/

    Tip 6: Avoid Short tags

    Avoid short tags, are too globally. => Avoid short tags in config files and classes

    Short tags are perfect made for site they dont want slow template engines, but want modify html with

    php.

    In PHP 5.4 the tags are even enabled if u put short_open_tag to off.

    Tip 8:Securing the session

    Dont lock the ip to a session if you want support mobiles.

    Many Mobile Internet Providers give many peoples one IP (NAT), so it isnt more secure than a session

    without ip.

    Its even worse, because the session is invalid if the ip changes often at the mobile internet when u

    change from GRPS to 3G for example.

    Tip 9:Setup correct directory permissions

    If possible put every php file outside of the htdocs dir except the index.php.

    Tip 10:Password Security

    Use a random salt instead a salt for every password.

    Dont use md5, use bcrypt. ( http://dfhu.org/blog/hashing-passwords-in-php-using-md5-vs-sha256-vs-

    bcrypt-vs )

    Use the PHP password functions http://php.net/manual/en/ref.password.php ,

    https://github.com/ircmaxell/password_compat

    Like

    • Thanks for your response. I agree to many of your points, specially for the password and not locking the IP Address because of the mobile users.

      Thank you once again for your efforts and reading this article!

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s