5 things which enhances security in application development

Security of a PHP application always remains a concern for the application developers. PHP development security tips below is a continuation of developing secure web application series. Its a common perception that PHP is  a insecure language which any novice hacker can hack and exploit the code. Every language has its vulnerabilities which can be exploited be it PHP, . Net or Java, so moving from one language to another isn’t a good idea just because you think it isn’t secure.

Often, PHP applications lacks security because of its ease of  use. Anybody can learn PHP very easily, thus the PHP programmers who are new to web development are unaware of the potential security risks their web applications can contain. Here are a few of the more common security problems generally found among web developers and how to avoid them.

1: Validate User Input

You should never trust your users. Most of the web applications uses javascript to valid user inputs. Validating user input using JavaScript is often a risky task because users can turn off the JavaScript, user can manipulate javascripts or can even inject his javascripts to do malicious acts. Validating with JavaScript is fine, but to be safer, validate all the inputs again using PHP. Below are some general tips that can cover all sort of input validation:

  • Use white-listed values
  • Always re-validate selections
  • Use built-in escape functions
  • Validate for correct data types, like numbers

2: Global Variables

register_globals should always be set to off. It can be disabled and enabled from php.ini. Why is this important? Consider the following code:

[sourcecode language=”php”]
if ($password == "my_password"){ $validated = 1; }
if ($validated == 1){ echo "Present protected contents"; }

[/sourcecode]

This code is used in most of  the application over the web. This is fine but if a server has register_globals set to ON, then simply adding “?validated=1” to the URL will give anyone free access to the protected content. This is one of the most general PHP security problems. You can correct this problem by setting register globals to be off and also ensure that before  using any variable, you must initialize it.

3: PHP Error Reporting

PHP has inbuilt feature which displays the error messages on the page in order to help developer in problem resolution.  A developer often needs that error to identify and fix bugs.  But a hacker can use them to find out important crucial informations like directory structure of the server  or even database login information. That being said error reporting should always be diabled on the live server. . There is a simple way to do this, just disable the PHP error reporting feature either in php.ini or .htaccess file.

4: SQL Injection

SQL injection is yet another security hazard where database communications are concerned. For example, consider a general sql query,

[sourcecode language=”php”]
$check=mysql_query("SELECT username, password FROM users WHERE username = ‘".$_POST[‘username’]."’ and password = ‘".$_POST[‘password’]."’");
[/sourcecode]

If some users enters user name as ‘ OR 1=1 # and password as blank.  th, the query in the backened gets modified like this.

[sourcecode language=”php”]
SELECT username, password FROM users WHERE username = ” OR 1=1 #’ and password = ”
[/sourcecode]

Now this is a problem. MySQL considers everything after the # symbol as a comment and ignores it. So, it executes the SQL query upto the point where # appears. And since 1 always equals 1, the SQL will return all of the usernames and passwords from the database. With some more creativity additional stuffs tasks can be executed.  Simple solution for this is to check all the apostrophes in the items we enter into the database, and removing or neutralizing them, we can prevent anyone from running their own SQL code on our database. The function is an example of a very basic thing which you can use to prevent SQl injections, also remember never to use POST and GET variables directly into the sql queries:

[sourcecode language=”php”]
function sanitize($variable){
$variable = mysql_real_escape_string(trim($variable));
return $variable;
}

$username = make_safe($_POST[‘username’]);
$password=make_safe($_POST[‘password’]);
$check =mysql_query("SELECT username, password FROM users WHERE username = ‘".$username."’ and password = ‘".$password."’");

[/sourcecode]

Now, if a user entered the malicious data above, the function will sanitize the input data before sending it for querying database.

Members Activities validation

It has also been seen hat developers often take care of visitors inputs but they forget the rules as soon as the visitor is verified and  logs in the members area. It has to be kept in mind that all the actions of visitors and members has to be validated and verified before sending it to functions. File inclusions and function activities should never be done though urls. Use of system php commands should be done only when needed. Admin folder should be hidden when possible. Use double authentication for admin area. Also, its very important to hide config file and rename it so that it becomes hard to guess. These steps will help you to implement a basic security in your applications.

Ashish
Ashish
Ashish is working as CTO at Ajoft Technologies, Involved in conceptualizing and creating new technology oriented software.

Leave a Reply

Your email address will not be published. Required fields are marked *