Thursday, December 25, 2008

Three Important Tips to Write PHP Code Defensively

The phenomenal growth of PHP applications has also led to a mushrooming of increased quantum of malicious activity. It thus becomes imperative that you write secure PHP code to protect your website. Here are some tips for the same.

The three most vulnerable aspects of PHP that can become easily accessible to anyone are XSS (Cross Site Scripting), Global Variables and SQL code.


The growth of XSS has followed a steady growth in the use of AJAX. Cross Site Scripting, for instance is used when you create a Comment section in your website. If the commentator has to log in to comment, his login information gets stored in a cookie. As the JavaScript code is generally run whenever a person writes the comment, there is a pretty good chance of the contents of the cookie being accessible to a remote server handled by a malicious user.

To counter this, make a habit of including filters whenever you request for random information. Use the die() function to exit from the task whenever the filters detect an unqualified input. The details that are typed are first filtered and then sent to the website’s database. Again the information is filtered before it is output.
//A good filter program that validates data, prevents XSS attack and
//preempts white lists would look like this
echo 'this is what you input';
echo htmlentities($_POST['myInfo']);

Global Variables

The PHP feature “Register Globals” leads to a palpable lacuna in programming safety. Once this feature is activated in PHP configuration file, even a single variable that is to uninitialized, can lead to a great security flaw. For instance
if (is_admin()) ( $authorized=true; )
if ($authorized) ( include "/very/sensitive/data.php"; )

When you run the file, because of non-initialization the user may not be verified, resulting in anyone accessing the administrative control! To counter this, you should disable Register Globals, initialize variables use localized variables and as far as possible within the programs.

SQL Code

The SQL code is vulnerable to malicious users just like XSS feature. To write a secure SQL code you need to remember a couple of things. First avoid using dynamic code and second, if dynamic code in inevitable then do not have direct input into the tables.

For instance, a code like this will take care of the sql security
if ($_POST['submit'] == 'Save') {
if (isset($_POST['acct_num']) &&
isValidAccountNumber($_POST['acc_num'])) {
$link = mysql_connect ('hostname', 'user', 'password')
or die('Could not connect to DB');

Preferably have a database to select user name so that any other entry (like “bingo” or ‘blah blah’) can be swiftly detected. A simple way of preventing SQL security lapse is by typecasting the data so that input is effectively monitored. You can also make use of the versatile “mysql_real_escape_string”. This function can successfully filter symbols and contain SQL security flaws.

These three are the most significant to create a secure PHP code. Apart from this, you should also ensure that
- The system is well protected
- Files and database are protected.
- Posts are verified
- Input is always validated

Input validation is the key to secure programming. Make a habit of allowing only the right input into your system. A systematic approach to PHP, keeping in mind the pitfalls, can guard the program against most flaws and malicious attacks.

Read More..

No comments: