This is a list of top 10 PHP secuirty tips that you can follow when developing your PHP based web applications.
Restrict access to administrative page
Most of the web based software have administrative page that is used to configure and to manage the software. When you install PHP based software, remember to change the script’s default directory name and also remove the installation script. Some software offer the option to installation script removal after completion of the installation process.
Another approach to secure administrative directory or script is to create an .htaccess file and upload it to the administrative directory. For example, if you have an administrative script that resides on my/admin-page, then you need to upload the .htaccess file in that directory.
Include/require files
As you know that some PHP programmers love to reuse codes, using includes or require file command in the script. When using include files in your script, you need to keep in mind that codes of that file may be exposed to the outside world if you do not save it with .php extension. If you do not use .php extension, PHP will not process your file and may return the contents of the file when a user types the path of that file. Therefore, make sure that the include and require files are always ending with .php extension. In addition, you can put include/require files in a non-root directory. A non-root directory is not publicly accessible via Internet. Also, you may think about password protecting the directory that contains includes/require files.
Secure your password in database.
You may have to store users’ password in database for various reasons. Whenever you store users’ passwords, make sure that you store it in encrypted format. Even if anyone gains access to your database, they will not be able to read your encrypted password. Do not hesitate to use stronger encryption function. The higher the length of your encryption key, the harder it becomes for the attacker to break your password.
Secure session data
Users computer generate session data each time they log in to your PHP based web application. This session data contains sensitive information that is used to keep the users logged in for a specific period of time. If anyone snoop your network, and intercept your session id or cookies, he can use it to gain access to your account. This process of using someone’s session id to gain illegitimate access to users account is known as session hijacking.
One possible solution to session hijacking is to use super global variables that uses user computer’s IP and browser type to generate complex session id. A session starts when a user’s browser requests for a webpage and a new session id is stored in his computer. When the user returns to the page, the server will compute a new session id using the user IP address and browser type and match that value with the stored value in the user’s machine. If the user IP or browser is different than that of the stored value, then server will assume that session id has been hijacked and ask the user to authenticate. Another useful line of defence against PHP session hijacking is to add a random token in the URL , and save it in a session variable. Randomness in the URL makes it much harder for the session hijacker to gain access to someone’s account.
How to trust user data?
Some web based PHP applications allow user to type data in the database. As you know that inputting data to a database is always risky unless your trusted database admin or security admin do such jobs. When you allow users to input data to your system, the important thing you need to remember is that you have to find a way to make sure the data are valid and follow the data types rules set by you. If you want users to input only a particular type of data such as integer then you need to find a way to prevent users to input any other format of data except integer. You must find a way to prevent that kind of violation. Make sure the users input are being passed through mysql_real_escape_string before sending to your database.
Session path configuration
If you are using shared hosting solution, you might be using the same session path with all other users. In that case your session data may be stored in a temporary directory that every other user can access. To make your session data more secure, you can configure session.path_save with init-set function, which will change the default session path. Make sure that new session path stays below the root directory and create a directory for session data with proper write permission for the PHP interpreter.
Change standard PHP error code
When PHP fails to connect to the database, it shows a connection error message. The default connection error code reveals too much information about the server including its IP and file path. To prevent revealing too much information to the hacker, you can change the standard error message in PHP by simply adding the @ sign before your database function call such as @mysql_connect or @mysql_select_db.
Create separate database user
If multiple PHP application use the same database server, make sure you create separate user for each application. If one of your apps gets compromised, the application will not be affected and the extent of security breach and damage will be limited.
Prevent cross site scripting in PHP
To protect your PHP application against Cross site scripting attack, you can follow the golden rule that any user generated data or input must be validated and sanitized. When you output your data use output escaping.
Global variables
User generated data can be tainted. There are no ways to tell if your users are generating untainted data. The method you can follow to fix the security hole created by PHP global variables are:
- Initialize your global variables
- Disable register_global from php.ini file.
- Set variables_order
