What's happening in our world

Blog Post
Important Practices for Securing Your PHP Apps
For high-profile, mission-critical PHP applications, security is a paramount concern. Bad security solutions can compromise important servers and lead to the kind of privacy breaches that make news headlines. But for those of us writing more every-day PHP apps, security is still an important concern - especially for anyone who's new to the language. We'll take you through some basic considerations for securing your PHP applications, letting you rest a little bit easier once you finally put your app out into the wild.
One of the most important concerns for any app that accepts user input is validating said input, to ensure that it doesn't throw your app a curveball it can't handle - or worse. Frustratingly, the basic assumption should be that user input can't be trusted, as anything more lenient can leave gaping holes in your security. Many coders use Javascript to validate user input, but this is inherently flawed as users have the ability to disable Javascript, so ensure you validate in PHP.
When your code runs on a page that accepts and then displays user input, such as a comment thread system, bulletin board or similar, it's important to make sure that your application has screened out any possible malicious Javascript code or HTML tags present in the user input. Fortunately, PHP has two built-in functions that make this simple: strip_tags() and htmlentities(). These two can save you a great deal of hassle, so get in the habit of using them!
Everything, naturally, comes back to the user, but sometimes vulnerabilities can be unintentionally exposed by a user and shared with a malicious one - which makes proper error handling critical for the integrity of your security. Many developers hate dealing with this particular aspect of development when trying to get their code out the door in a hurry, but it's far better to invest the time now than to try explaining why you cut corners.
Finally, another important concern is the way your include files are handled. PHP code routinely references other PHP files, often for database access or regularly repeated code segments, which can be inadvertently displayed to the user as plaintext if not properly named. Any extension other than .php may not be parsed properly by a browser, leaving your code vulnerable, so always use the correct extension. To be doubly-safe, store your includes in a folder that doesn't have user access permissions.
This is only the tip of the iceberg when it comes to PHP security, but you can save yourself from a good many problems by following these simple practices.
Sign up to receive updates from SourceGuardian
Try our free php source code demo
Account Login:

login Forgotten Password?
Connect with us
facebook linkedin twitter rss
© Copyright 2002 - 2024 SourceGuardian Limited
Privacy Policy l Terms & Conditions l Company Info l Contact us l Sitemap l PHP Weekly News