PHP Security tips

Any web application security is most important throughout the development. There are very simple ways you can take to protect your application from hackers. This post will cover some of the basics of PHP security.

The below mentioned tips every developer should know

1. Filtering Input :-

Filtering all data from external sources is probably the most important security measure you can take. This can be as easy as running some simple built-in functions on your variables.

whenever user enter some data into the form never directly use anything in $_GET or $_POST.. Check each value to make sure it is something expected and assign it to a local variable for use

// input filter examples
 
// Make sure it is an integer
$int = intval($_POST['variable']);
 
// Make it safe to use in a URL
$string = urlencode($_POST['variable']);

PHP as of version 5.2 provides a set of filtering functions designed 
just for the purpose of filtering user data. 

filter_input — Gets a specific external variable by name and optionally filters it

<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";?>

Out Put

You have searched for Me &#38; son. <a href='?search=Me%20%26%20son'>Search again.</a>  

2.Register_Globals:-

PHP is when the default value for the PHP directive register_globals went from ON to OFF in PHP » 4.2.0.

This post will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it.

<?php// define $authorized = true only if user is authenticatedif (authenticated_user()) {
    $authorized = true;
}
// Because we didn't first initialize $authorized as false, this might be
// defined through register_globals, like from GET auth.php?authorized=1
// So, anyone can be seen as authenticated!if ($authorized) {
    include "/highly/sensitive/data.php";
}?> 


Example use of sessions with register_globals on or off

<?php// We wouldn't know where $username came from but do know $_SESSION is
// for session dataif (isset($_SESSION['username'])) {

    echo "Hello <b>{$_SESSION['username']}</b>";

} else {

    echo "Hello <b>Guest</b><br />";
    echo "Would you like to login?";

}?>  

3. Error Reporting:-

The error_reporting() function sets the error_reporting directive at runtime. PHP has many levels of errors, using this function sets that level for the duration (runtime) of your script. If the optional level is not set, error_reporting() will just return the current error reporting level.

It's never a good idea to show the world your errors. It make you look bad, it also might give malicious users another clue to help them break your site. You should always have display_errors disabled in a production environment, but continue logging errors with log_errors for your own information.

                Production        Development

display_errors     0                  1
log_errors         1                  0

error_reporting    E_ALL             E_ALL    

4. Use POST for Dangerous Actions

There are two common methods used to send data to a PHP application, GET and POST. GET works by adding variables to the end of URL's (eg. http://www.example.com/process.php?action=delete&id=123). POST works by sending variables in the body of the request (normal users will not see them). It is important to carefully consider which method to use for a certain task.
You should generally stick to POST when you are performing a potentially dangerous action (like deleting something). The reason is that is is much easier to trick a user into accessing a URL with GET parameters than it is to trick them into sending a POST request. Take this example:

<img src="http://www.example.com/process.php?action=delete&id=123" />

If a user with an active session on your site visits another web page with the above image tag, the user's browser will quietly send a request to your site telling it to delete record 123.
Keep in mind that other precautions should also be taken to ensure requests are legitimate under a secure session. It is also easily possible to create a form that does the same as above using a POST request, so don't assume that method is "safe" either. See sections 2 and 4 of the PHP Security Guide for more information on form and session security.

5. Database Queries Filtering:-

Example #1 Simple mysql_real_escape_string() example
<?php// We didn't check $_POST['password'], it could be anything the user wanted! For example:$_POST['username'] = 'aidan';$_POST['password'] = "' OR ''='";
// Query database to check if there are any matching users$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";mysql_query($query);
// This means the query sent to MySQL would be:echo $query;?>

6.Output Filtering

It is also important to filter what comes out of your applications.

htmlspecialchars();//Convert special characters to HTML entities

htmlspecialchars();//Convert all applicable characters to HTML entities

strip_tags();// Strip HTML and PHP tags from a string

<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;?>

htmlspecialchars();
<?php
$str = "A 'quote' is <b>bold</b>";
// Outputs: A 'quote' is &lt;b&gt;bold&lt;/b&gt;echo htmlentities($str);

 strip_tags():

<?php
$text = '<p>Test paragraph.</p><!-- Comment --> <a href="#fragment">Other text</a>';
echo strip_tags($text);
echo "\n";
// Allow <p> and <a>echo strip_tags($text, '<p><a>');?>