Learn How to Improve PHP Security with these 6 Steps?
PHP security is the more concerned topic in web application security, In this article, you will learn some techniques that you can use in your applications to fix security issues and improve the overall security of PHP web applications.
1. Input Validation
All problems start here If you are not validating & sanitizing user submitted data through forms or URLs. If you strictly follow this step, then you can overcome a lot of problems with your applications that is regarding security.
First of all, Check whether the input submitted with the correct method? That is if the user input should be passed to URL and if you are using request superglobal, Then that is the problem. Because hacker can fake the request with other types of method. Request superglobal works with all type of inputs that is post & get.
The simple answer is don’t use request superglobal, only use get or post based on the request type.
If the input method is get and if you are expecting only number from the URL as user input. Use PHP functions to validate the user submitted input data, in this particular situation you can use is_int PHP function. To check whether the input is an integer.
For validation, you can use filter_var PHP function with this function you can validate the input and also sanitize the input. You have to use the correct filter based on your requirement. For available filters check the php.net website.
2. XSS Cross-Site Scripting
Here we will see how we can overcome XSS attacks by making simple changes to our applications with these two methods. That is filtering Input and Escaping Output
2.1 Filtering Input
While accepting data from website users we should filter. For example in comment system, we should accept only text input not HTML tags. If we are not filtering the input, the user can submit any kind of information even malicious code.
To filter unwanted code we can use these PHP functions, here I’m presenting you three PHP functions and their advantages.
strip_tags PHP function removes HTML tags from the user submitted input.
filter_var : And the more secure way of filtering input is filter_var with filter_sanitize_string removes HTML tags even HTML syntax entered by the user is incorrect.
regular expressions: If you have a specific requirement, you can build a regular expression to filter user input.
2.2 Escaping Output
Escaping Output is a technique used to prevent XSS. Suppose, let’s assume with above comment system you have some comments in the database without filtering input. That means these comments may have some HTML tags and even some comments may have malicious code. Without deleting this data from the database, we can fix this issue by escaping output with these PHP functions.
htmlspecialchars PHP function encodes special characters into HTML entities and even if you want to convert quote marks to HTML entities use it with ent_quotes.
htmlentities PHP function converts all HTML character entities into html entities.
You can convert the quote marks also with ent_quotes
The more secure way is to to use filter_var with filter filter_sanitize_full_special_chars to convert all HTML entities.
3. SQL Injection
SQL Injection is the most critical threat to any application which uses a database. You can follow these techniques to overcome SQL Injection.
Provide Minimum Information to the user, don’t display SQL queries and debug information to the user. As it may reveal table names and table structure to the attackers, thus it makes easy for an attacker to do SQL Injection.
Validate the Input, go through the step 1. By following this you can minimize the few issues.
Escape the output while inserting data into the database. Previously we have seen escaping output while displaying comments in the browser. In the same way, we can escape the output while inserting the records in the database with the mysqli_real_escape_sting PHP function.
Use Prepared statements with PHP PDO, it’s most secure method to overcome SQL Injection. You can learn more about PDO Prepared Statements from PHP CRUD Application with PDO.
Least Privileged Database User Account – Create a database user on your server with least privileges. Like if you are only displaying information in your application from database create a database user with only read privileges. Understand your application and create an account based on the privileges.
4. Password Hashing
While storing Passwords of users, don’t store it in plain text password. Because it’s exposing your user’s important information to the attacker, most of the users will use the same password on other websites. So that, your users are in great danger.
Use secure password hashing algorithm, a Most secure password hashing algorithm is password_hash. Use password_hash while generating password hash. To generate the hash with password_hash PHP function, use this below code.
5. CSRF Cross-Site Request Forgery
Cross-Site Request Forgery is another area where you need to implement CSRF tokens to improve the security of form submissions.
CSRF Tokens are used to secure forms in PHP, we will generate a random token and this will be stored in the session and this token will be passed through the form. After form submission, CSRF token from the form and the token stored in session will be compared. If both these values match then only form submission will succeed. Otherwise, form submission will be failed. The attacker won’t be able to succeed with his/her attempts.
I’ve already created a complete article on Securing PHP Forms with CSRF Tokens.
6. Error Handling
While in production mode don’t display all the errors to users, follow least information principle.
Always look out for the Security issues in your web applications. You will find out few things in your applications, use these steps as a checklist for the security of your applications.
Comment below and let me know techniques you are following in PHP applications for security.