Best practice to make your PHP site secure
PHP is one of the most popular programming languages for the web. Sometimes a feature-friendly language can help the programmer too much, and security holes can creep in, creating roadblocks in the development path. When it comes to security, in addition to securing your hardware and platform, you also need to write your code securely. A programmer should follow the best habits that can develop in order to protect his or her application from attack. It will help you to avoid some common PHP security pitfalls and development glitches. So, PHP should be used with caution.
This article will explain how to keep your PHP site secure and less vulnerable to hacking. But, before that, you should aware of the types of attack.
PHP based sites can face the different types of attacks. And most noticeable attacks are -
XSS - Cross-site scripting is a vulnerability in PHP web, which attackers may exploit to steal users’ information.
SQL injection – It is a vulnerability in the database layer of a PHP application. When user input is incorrectly filtered any SQL statements can be executed by the application.
File uploads – It allows your visitor to place files (upload files) on your server. This can result into various security problems such as delete your files, delete the database, get user details and much more.
Including local and remote files – An attacker can open files from a remote server and execute any PHP code. This allows them to upload the file, delete the file and install backdoors.
eval() – Evaluate a string as PHP code. This is often used by an attacker to hide their code and tools on the server itself. You can configure PHP to disable eval().
Sea-surf Attack (Cross-site request forgery – CSRF) – This attack forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. A successful CSRF exploit can compromise end user data and operation in case of a normal user. If the targeted end user is the administrator account, this can compromise the entire web application.
Let's see the practices to prevent attacks -
Validate Input Data
You can disable file uploads using PHP or write secure code like validating user input and only allow image file types such as png or gif.
Use Proper Error Reporting
During the development process, web error reporting is your best friend. Error reports can help you find spelling mistakes in your variables, detect incorrect function usage and much more. However, once the site goes live the same reporting that was an ally during development can turn traitor and tell your users much more about your site than you may want them to know.
Minimize Loadable PHP Modules
PHP supports “Dynamic Extensions”. By default, RHEL loads all the extension modules found in /etc/php.d/ directory. To enable or disable a particular module, just find the configuration file in /etc/php.d/ directory and comment the module name. You can also rename or delete module configuration file. For best PHP performance and security, you should only enable the extensions your website requires.
Turn Off Remote Code Execution
If enabled, allow_url_fopen allows PHP’s file functions - such as file_get_contents() and the include and require statements - can retrieve data from remote locations, like an FTP or web site. The allow_url_fopen option allows PHP’s file functions – such as file_get_contents() and the include and requires statements – can retrieve data from remote locations using FTP or HTTP protocols. Programmers frequently forget this and don’t do proper input filtering when passing user-provided data to these functions, opening them up to code injection vulnerabilities. You can configure PHP to disable remote file execution.
Securing Database Queries
Use of prepared statements or parameterized queries is the secure option when it comes to interaction with the database. The input entered by the user is used to dynamically construct the query that is sent to the database. The user input can be maliciously crafted to change the logic of a query. This potentially allows the user to run any kind of query or bypass security measures.
You must update your PHP application on regular basis. If you are still using an older version of PHP then you will be having a lot of deprecations while upgrading PHP apps. You will also need to update your code and change some functional logics like password hashing etc.
Protecting against SQL Injection
SQL Injection is very famous, dangerous, and easily preventable. The idea is that the attacker can inject SQL code into your database when you are reading user input in your code. So the solution is to sanitize every time you are building an SQL query using user input. PHP offers many different ways for sanitizing input. You can configure Apache and write secure code (validating and escaping all user input) to avoid SQL injection attacks. A common practice in PHP is to escape parameters using the function called mysql_real_escape_string() before sending the SQL query.
Disclosure is dangerous
Your website may be vulnerable if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability. So, don't disclose your site related any sensitive data.
Securing your site would be simple if your implementation is simple. Can you avoid adding many fringe features, nice-to-haves, and assumed extensions?
Prevent XSS attacks
Monitor, alert sparingly and trace everything. A great enabler for Security is the ability of your system to monitor and track all interactions. This will help for a post-event analysis of any vulnerability exposures and you can build your defense.
Writing Secure Code
If you write enough code, you will accidentally write a vulnerability at some point in your career as a developer. So, it's better to write secure PHP code.
HTTPS is a protocol used to provide security over the Internet. HTTPS guarantees that users are talking to the server they expect and that nobody else can intercept or change the content they're seeing in transit. If you have anything that your users might want private, it's highly advisable to use the only HTTPS to deliver it.
By keeping the above points in mind it’s possible to secure PHP sites to a great extent. You can share your experiences with us in the comments below. Thank you!