How to Write Secure PHP Code

 
How to Write Secure PHP Code

In now days hacking is becoming normal for all users, everyone wants to secure their code or web apps from hackers, but they don't know how to do that and how to write PHP code securely. Here is an article for that.

Avoid SQL injections. SQL injections are possibly the most common way in which web software is compromised today.

For example:

statement := "SELECT * FROM userinfo WHERE id = " + user_id + ";"

This works fine if "user_id " can be trusted. However, if it's a user-supplied variable, an attacker could supply this:

1;DROP TABLE users

Which would result in this query being executed:

SELECT * FROM userinfo WHERE id=1;DROP TABLE users;

Which is obviously a terrible thing to have.

Solution:

 The solution is to sanitize any user-supplied variables, religiously. PHP has the mysql_real_escape_string function for MySQL. Other database libraries for other programming have the same thing. Use them, and you'll be much safer. 

Sanitise any data that you write to a page. Your code might accept a parameter called "person" (i.e. index.php?person=Bob, and your code would contain something like this:

<h1>Hello, <?php echo $_GET["person"];?></h1>

This allows an attacker to write arbitrary JavaScript to the page, meaning that if they convinced somebody to simply follow a link to the site, they could get them to cause an action with a side-effect

For example:

<?php
$user_input = "<script>alert('Your site sucks!');</script>";
echo "<h4>My Commenting System</h4>";
echo $user_input;
?>

The result will be this:


Let’s now secure our application from such attacks using a trip_tags function.

<?php
$user_input = "<script>alert('Your site sucks!');</script>";
echo strip_tags($user_input);
?>

The result will be:

alert('Your site sucks!');

 Don't store passwords as plain text.

 This is a mitigating measure in case your site is compromised. Since many users re-use passwords, it could mean that all their other online accounts get compromised. The standard counter-measure to this is to store a cryptographic hash (such as using the SHA-2 algorithm) of the sum of a few bytes of random data plus the password. This will make it possible to verify whether a supplied password is correct, without storing the password itself.

(For future-proofing, it might be a good idea to store the type of algorithm used as well, in case you need to migrate to a different hash algorithm, should severe weaknesses be found in current ones. This happened to MD5 and SHA-1, and may yet happen to today's most trusted hash algorithms.


Don't depend on robots.txt

to hide sensitive areas of your site. There's sometimes good reason to do this (for example, if your entire site is sensitive and you don't want it indexed by search engines). But remember that one of the first things an attacker hell-bent on compromising your site will do is to look at your robots.txt to see what you are hiding. A better way of doing this is to use a meta tag on the pages you don't want to be indexed (for example, your administrative back-end pages). For example:


<meta name="robots" content="noindex, nofollow" />



Tags:

Comments

No Comment

Leave a Comment

Your email address will not be published.



#110, Time Square Empire,SH 42 Mirjapar highway,Bhuj Kutch 370001
+(91) 97 26 134340
Mon-Fri 9:00am-6:00pm
[email protected]
24 X 7 online support