Techtic Solutions is a Website Design and Development company in India. 10 Tips for Building a Secure PHP Application share by our PHP developers. Feel free to share your reviews or feedback about these tips.

1. 10 Tips for Building a Secure
PHP Application

2. Tip 1: Use Proper Error Reporting/Handling
 The development process of the application can become very
cumbersome when the errors are not handled properly. In other words if
there are no error reports enabled then identifying the minor mistakes like
spell checks, incorrect functions usage and many more mistakes can
become very difficult. It is a great practice to enable error reporting before
even starting the development process. Once the website goes live, just
hide error reporting from displaying.
 Set Below Code in PHP.ini file
Log_errors = On
Display_errors = Off
 Set Below Code in
Configuration file
define('DEBUG',true);
if(DEBUG ==true)
{
ini_set('display_errors','On');
error_reporting(E_ALL);
}
else
{
ini_set('display_errors','Off');
error_reporting(0);
}

3. Tip 2: Validate Input
 The inputs that are coming from the users needs to be validated from
server side as well as client side. The inputs come in the form of POST or
GET. Always use regular expressions in validation to avoid blank entries in
the database.
 Check the ‘type’ of the data
 Check range of numbers
 Check length of strings
 Check emails , urls , dates to be valid
 Ensure that data does not contain un allowed characters.
For Example,if Month value is not valid
if ( ! preg match( "/^[0-9]{1,2}$/", $_GET['month'] ) )
{
echo “”; // handle error
}

4. Tip 3: Protecting Against Sql Injection
 To perform your database queries, one should be using PHP Data
Objects(PDO). With parameterized queries and prepared statements
(Store Procedure), you can prevent SQL injection.
 Take a look at the following example:
<?php
$sql = "SELECT * FROM users WHERE name=:name and age=:age";
$stmt = $db->prepare($sql);
$stmt->execute(array(":name" => $name, ":age" => $age)); ?>
 The code given above has two parameters named :name and :age.
Prepare() is the method which informs the database engine to pre-compile
the query and attach the values to the named parameters later. When
execute() is called, the query is executed with the actual values of the
named parameters. By coding this way, the attacker on the SQL wont be
able to inject a malicious query because the queries are already
precompiled and the database will not accept it. Hence a secure database
can be achieved.
 Mysql real escape string :- The mysql real escape string() function
escapes special characters in a string for use in an SQL statement

5. Tip 4: Disable PHP’s Bad Features
 Global Variables (Register Globals)
 Using the PHP feature ‘Register Globals’ can hamper the objective of
maintaining programming safety. As soon as this feature is activated in the
PHP configuration file, even an uninitialized variable can lead to a
damaging security flaw and the height is almost anyone can seize
administrative control. To deal with this situation, disable Register Globals,
ensure that you initialize variables as well as use localized variables too
within the program.
 If the application is running with register globals ON, a user could just
place access=1 into a query string, and would then have access to
whatever the script is running.
 Unfortunately, we cannot disable register globals from the script side
(using ini set, like we normally might), but we can use an .htaccess files to
do this.
 Set Below Code in .htaccessfile for disabling
php flagregister globals 0
 Set Below Code in php.ini file (if you have access for the same) for
disabling
register_globals = Off

6. Tip 5: Protect Against XSS Attacks
 Cross Site Scripting has to be protected in order to protect a very simple
attack on the website. PHP Application which allows the user inputs may
come across a situation where the user placed a malicious script as per
the example below into your application.
 Here is an example of what an XSS attacker might submit to an
application:
<script>window.location.href='http://www.bad-location.com';</script>
 What the script means is, it will hijack every user who visits that output
page and send them to an unwanted page. This type of attack can be
eliminated by using proper techniques to validate user input data and not
allowing specific types of data.
 Few functions to filter/validate data :
htmlentities() ,strip_tags () , utf8_decode (), htmlspecialchars() ,
ctype_digit() , ctype_alnum(), stripslashes() , str_replace()

7. Tip 6: Avoid Short tags
 <? and <?= are called short open tags, and are not always enabled.
 PHP 5.3.0, they are disabled by default, however if they are enabled Set
Below Code in PHP.ini file
short_open_tag = Off
 Your Application will not work if they are not enabled.
Tip 7: Protect Against CSRF Attacks
 CSRF stands for Cross Site Request Forgery. The attacker is the remote
machine which is trying to access the cookies or some other means of a
normal legitimate user. For example when the user is trying to comment
on the website, the login information is primarily stored in the cookies and
there is every possibility that the cookies can be accessed by remote
server who is a malicious user. This is why it is imperative to use filters
when requesting for random information.
 Lets say a certain url in the application performs some database changes,
update_info.php?id=123
delete_record.php?id=123

8.  A hacker can setup a webpage with the following piece of code
 <image(tag) source(tag)=”http://www.original-application.
com/delete_record.php?id=123″ alt=”” />
 Ask the user to open this webpage. Now since the user is logged into the
application the url will be triggered and whatever action necessary would
be taken by the script.So basically a hacker has made the request through
the user. This is “request forgery”.
 Solution is to, enable the server to identify each request with a key/random
value.
Tip 8: Securing the session
 Regenerate Session ID ( function:— session_regenerate_id(); )
Lock the user agent during a session
 //Function to check if user is logged in or not
functioncheck_login_status()
{
if($_SESSION['logged'] == true and$_SESSION['old_user_agent'] ==
$_SERVER['HTTP_USER_AGENT'])

9. {returntrue;}
returnfalse;
}
if(!check_login_status())
{
logout();
}
 Lock the IP of a session
$user_agent= @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] .
$_SERVER['HTTP_ACCEPT_ENCODING'] .
$_SERVER['HTTP_ACCEPT_LANGUAGE'] .
$_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']);
 Store sessions in database
 By default sessions are stored in files. Many applications are hosted on
shared hosting environments where the session files are saved to /tmp
directory. This directory may be readable to other users as well. If
unencrypted the session information will be plain text in the file :
userName|s:5:”ngood”;accountNumber|s:9:”123456789″;
 Store sessions in database. Sessions stored inside database are not
visible like files. They are only available to the application using it.

10. Tip 9: Setup correct directory permissions
 Directories should have proper permissions with regard to the need of
being writable or not. Keep a separate directory for temp files, cache files
and other resource files and mark them writable as needed. Also
directories (like temp) which can contain resource files, or files with other
information should be guarded well and be totally inaccessible to the
outside web.
 Use htaccess to block all access to such directories( deny from all )
Tip 10: Password Security
$salt = 'SUPER_SALTY';
$hash = md5($password . $salt);
Original Source URL : http://www.techtic.com/blog/10-tips-for-building-
a-secure-php-application/

11. Thank You
Techtic Solutions
PHP Development Company India
Mail. info@techtic.com
USA: +1 201-793-8324
UK: +44 117 2308324
AUS: +61 280 909 320