5 Helpful Tips for Creating Secure PHP Applications
PHP is one of the most popular programming languages for the web. Sometimes a feature-friendly language can help the programmer too much, and security holes can creep in, creating roadblocks in the development path. In this tutorial, we will take a look at 5 tips to help you avoid some common PHP security pitfalls and development glitches.
Tip 1: Use Proper Error Reporting
During the development process, application error reporting is your best friend. However, once the site goes live error reporting can tell your users much more about your site than you may want them to know (the software you run, your folder structure, etc).
Tip 2: Disable PHP’s “Bad Features”
From its earliest days, PHP’s designers have always included some features to make development easier. Or so they thought! Some of these helpful features can have unintended consequences. One of the first things you should do when the development process begins is disable some of these features.
Tip 3: Validate Input
In addition to escaping characters, another great to way to protect input is to validate it. With many applications, you actually already know what kind of data you are expecting on input. So the simplest way to protect yourself against attacks is to make sure your users can only enter the appropriate data.
Tip 4: Watch for Cross Site Scripting (XSS) Attacks in User Input
A web application usually accepts input from users and displays it in some way. When accepting input, allowing HTML can be a dangerous thing, because that allows for JavaScript to be executed in unintended ways. If even one hole is left open, JavaScript can be executed and cookies could be hijacked. This cookie data could then be used to fake a real account and give an illegal user access to the website’s data.
There are a few ways you can protect yourself from such attacks. One way is to disallow HTML altogether, because then there is no possible way to allow any JavaScript to execute.
Tip 5: Protecting against SQL Injection
Last, but not least, is one of the most well-known security attacks on the web: SQL injection. SQL injection attacks occur when data goes unchecked, and the application doesn’t escape characters used in SQL strings such as single quotes (‘) or double quotes (“).
If these characters are not filtered out users can exploit the system by making queries always true and thus allowing them to trick login systems.
Interesting article – but the link to 5 Helpful Tips for Creating Secure PHP Applications is broken.