PHP Best Practices in Security – Part 1
Warning: file_get_contents() [function.file-get-contents]: URL file-access is disabled in the server configuration in D:\Hosting\3681091\html\blog\wp-content\plugins\digg-digg\dd.class.php on line 759
Warning: file_get_contents(http://feeds.delicious.com/v2/json/urlinfo/data?url=http%3A%2F%2Fwww.devtheweb.net%2Fblog%2F2010%2F01%2F26%2Fphp-best-practices-in-security-part-1%2F) [function.file-get-contents]: failed to open stream: no suitable wrapper could be found in D:\Hosting\3681091\html\blog\wp-content\plugins\digg-digg\dd.class.php on line 759
Here is the first post of PHP Best Practices Series. We’ll begin with (in my opinion) the most important aspect of web developing – the security.
1. Always Initialize Your Variables
Let’s look at the following example:
<?php
if (check_user($_POST['username'], $_POST['password']) {
$login = false;
}
if ($login) {
forward_to_secure_page();
}
?>
If the username and password aren’t correct. In the second if statement $login variable won’t be initialized, so it can be true :)
Is it better:
<?php
$login = false;
if (check_user($_POST['username'], $_POST['password']) {
$login = true;
}
if ($login) {
forward_to_secure_page();
}
?>
2. Don’t trust user input
Example:
<form action=”<?php echo $_SERVER ['PHP_SELF']; ?>” >
…
</form>
If someone make request: http://www.yoursite.com/yourpage.php/%22%3E%3Cscript%3Ealert(‘alert message’)%3C/script%3E%3C
That will open javascript dialog.
So, always be aware with variables that contain user input, they are $_POST, $_GET, $_SERVER, $_COOKIE and $_REQUEST.
3. Always use escape functions to prevent SQL Injections
<?php
$sql = ‘select pass from user where username = ‘ . $_GET['login'];
?>
What about the following Request:
http://yoursite.com/yourpage.php?login=username+OR+1
That’s the reason always to use escape functions, ex. mysqli_real_escape_string
<?php
$sql = ‘select pass from user where username = ‘ .
mysqli_real_escape_string( $_GET['login'] );
?>
4. Validate the Input
Good practice is to validate all the input, functions that may help you are:
- filter_data (it filters data with a specified filter), ex:
filter_data(‘some@email.com’,
FILTER_VALIDATE_EMAIL);
filter_data(‘someurl.com’, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED));
- ctype_alnum (it check for alphanumeric character(s)), ex:
ctype_alnum( ‘this is a good string’ )
ctype_alnum( ‘this is a bad string – @#’ )
5. Use escape functions on output
<?php
$str = ‘<b>Dev</b>theWeb.NET’;
echo $str;
?>
The Output will be: DevtheWeb.NET
We could have value like $str entered by users, so we could use escape functions on output.
<?php
$str = ‘<b>Dev</b>theWeb.NET’;
echo htmlentities( $str );
?>
The Output will be: <b>Dev</b>theWeb.NET
Here are 3 additional advices, how to hide security information for your site:
6. display_errors should be turned off in your production environment. Instead of it, you can use log_errors.
7. Don’t have phpinfo() in your webroot, because it exposes info about configuration, pathes, extensions, etc.
8. Disable expose_php and change the default filetypes may also help.
I hope you’ve found something useful in the post. Soon I’ll publish part 2 of PHP Best Practices in Security where you can read more about Permissions, Configuration, Cookies and Sessions.
