Hackers are always a prevalent threat for web developers and programmers, and in the face of such obstacles some very simple techniques should be adopted to protect your code and prevent them from taking control.
- Use intelligent file inclusion.
PHP functions such as include(), require(), require_once() allow you to run external scripts or include content at your whim. These functions are generally critical to a good application design so you should always use them wisely. Don’t use $_GET or $_POST variables in the included file name (e.g. include($_GET['page'].”.php”);). If so, a hacker could pass any file name they wish to be run on your server. - Turn off PHP register globals.
If Register Globals is turned on, all variables must be wisely utlized and checked while writing your script. Similar to the first security tip, a user or hacker could pass a variable via $_GET and it be recognized and localized as a global variable and could maliciously harm your application and abuse your host. - Always validate user input.
When using HTML forms for processing user based data, ALWAYS validate this information with stringent PHP inspections. Some developers may foolishly rely upon Javascript to validate their data only, but Javascript is a client-side feature and can be turned off or manipulated. - Watch for SQL injection.
Most of the time, an application takes information from a user and then stores this information in a database. This means that the code uses SQL to store this data in the relational database, and in turn uses the data the user has submitted in the form directly in the SQL command. Some hackers will include an SQL command in the form which tries to end the normal SQL command and append a destructive command afterwards. Good PHP validation will take care of this, and always use a function like addslashes() to keep them from breaking out of the proper SQL command. - Regenerate Session ID’s.
Everytime a user logs into the application, use the PHP session_regenerate_id() function to update the user’s session. This prevents Session hijacking where a Hacker attempts to copy the Session ID from another user and access their application. - Error Handling.
Never let your user see a PHP compiler error… ever. This can be achieved by changing the php.ini setting for display_error to “0″. Then use the error log for viewing errors related to code. Don’t rely on this though, use proper error handling techniques to avoid compiler and SQL errors.
I implore you to recognize that this information is a basic tutorial for PHP security, and represents the most pertinent issues to be addressed when designing a professional PHP application. As a developer it is your responsibility to design programs with integrity, and ensure the security of the program to it’s fullest.
Advertisement
