Strengthen Your Website with Vital PHP Security

Advertisement

Proper tactics for effective security is extremely important for web developers. Sites can be hacked in, turned inside out, and ridiculed by individuals who have the capacity to bypass standard security measures. Developers are encouraged to always take necessary steps when constructing their applications in order to provide powerful security.

Because PHP is the most popular web programming language in use, it’s categorized as a highly flexible syntax that’s incredibly effective when working side by side with HTML. Open source tools are a plus with PHP; i.e. MySQL databases and Apache. Overall, PHP allows you to retract errors and vulnerabilities found in your sites security on a continuous basis. Keep reading and find out how you can utilize this powerful programming tool to bring your site to higher security standards.

Common Form of Attack & Vulnerabilities

attack

Particularly speaking any website that sends, receives & processes information is vulnerable to an attack. The most important type of attack (when it comes to the web) is automated.

These sort of attacks are particularly alarming because of their ability to use automated scripts to destroy the structure your website through several venues. These attacks can easily access restricted areas on your site, slow down load time for pages, interrupt the source code, or deface the site. Most of the attacks you’ll come across derive from viruses, worms, and Trojan horses. Each of these attacks are different in their own way, however they reap the same results.

Seasoned developers have common knowledge of where to spot a vulnerability in their PHP code, this is why it’s important to make this a primary task at hand.

Evaluating XSS

What is XSS? It’s Cross Server Scripting, readily used for hacking into a website. It’s important to be aware of the different XSS attacks that can stress your server. XSS is code that’s injected onto your website, and executes just like a program would on your desktop. This can easily be used for a variety things, such as launching Javascript through an “infected” Twitter web interface (Stalk Daily and Mikeyy Twitter Worms). Check out this list of common XSS exploits

The best possible way to defend against XSS attacks would be to disable JavaScript and images while surfing the web, however seeing as though this is nearly an impossible task, you’ll need to be proactive against these vulnerabilites and use every tool at hand. Another useful tip for protecting against XSS is a simple PHP function called htmlentities(). This PHP function works by converting every character in HTML to their corresponding entities, such as “<” would convert to “<”.

Cryptography: The Practice of Hiding Information

hiding_data

Cryptography is vital when dealing with PHP security. Even if you’re a beginner when it comes to website security, we’ve all come across some sort of cryptogrpahic presence being used (for example Mail Clients such as Yahoo! & more). As growing developers we need to feed ourselves with the awareness of practical uses for cryptography. PHP allows us to use various basic functions in order to encrypt data.

The following are two guides that will touch further on the cryptographic subject: Cryptography Techniques for Secure Communications , A Guide to Cryptography in PHP

Sanitizing Your Site

According to the PHP manual: “Sanitization will sanitize the data, so it may alter it by removing undesired characters. For example, passing in FILTER_SANITIZE_EMAIL will remove characters that are inappropriate for an email address to contain. That said, it does not validate the data.”

A majority of XSS attacks come from manipulating the input of a website. Here are a few things you should do to make sure the input you receive is safe:

PHP addslashes Function

All you have to do is run all of your input through the addslashes method in PHP. The slashes help avoid characters that could dangerous and manipulative to the site.

Using strip_tags

strip_tags() is a useful PHP function that helps sanitize input. With this function you have the option of allowing specific set of tags, thus if you have a page where users can be allowed to use some HTML (for example, an email form) you can still allow them to use a few tags.

Removing JavaScript & Flash From Input

code

Using regular expressions allows us to make sure that JavaScript doesn’t get through and execute. Within this section you’ll learn to use strip tags to remove tags that can take care of a JavaScript attack. Flash can also be enclosed via XSS and utilized for the wrong purpose. Below you’ll find two simple functions that will remove JavaScript & Flash from the input it is given, by utilizing regular expressions:

JavaScript

function removeJavaScript($input){ return preg_replace('#]*>.*?#is','',$input); }

Flash

function removeFlash($input){ return preg_replace("/<object[0-9 a-z_?*=":-/.#,\n\r\t]+/smi", "", $input); }

Securing Your Passwords

password

Usually, the first attempts to hacking a site comes from people trying to bypass passwords on your site to gain access to restricted areas (such as your admin panel for WordPress). A vital procautinary step would be to make sure that your password has a good mix of numbers, letters, and symbols. This isn’t limited to passwords that are words used on a daily basis, but are spelled in ‘leet speak’, for example “myst1c.

If you have a registration form on your website, it would be important to use a random password generator as well. Generating random passwords can be very useful for user registrations, and when a registered user makes a request due to a forgotten password. Here is an example we found for random password generation:

< ?php //A simple function which will output a random password function randompassword($count){ $pass = str_shuffle('abcefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890@#%$*'); return substr($pass,3,$count);//returns the password } ? >
Advertisement
Use your ← → (arrow) keys to browse

Login

Signup

Forgot Password

Enter the e-mail you used to signup. A password reset link will be sent to you by email.