PHP Security Fundamentals
PHP is relatively a simple language to learn and many new web programmers are very easily able to learn and start using PHP for their respective applications. This is both an advantage and a disadvantage of PHP. The advantage is that the learning curve for PHP is pretty straightforward and a person new to programming can quickly grasp the syntax and start using PHP. The drawback here, however, is that there are some security issues that also need to be taken care of while writing PHP code, which are most of the times not considered by these new developers. One of the critical aspects of web development that many beginner PHP developers fail to realize is security. Most of the users are normal users, who just use the websites as they are supposed to use. However, there are also malicious users, who are constantly looking for security loop holes on different websites, to explore them for there on interest. Many a times, the beginner developers are not even aware of these issues in their code and eventually end up becoming a prey to such attacks. Hence, it is very essential for new developers to be fully aware of at least the basic security principles in web programming.
#1 Filter User Input
Many times, PHP websites or applications are required to take input data from users and perform certain processing or actions with this data. Here, attackers can submit html or JavaScript code as input data, which may redirect the users to some other page or perform certain actions that are not desirable. These types of attacks are called Cross Site Scripting (XSS) attacks. Consider this simple example. Suppose there is a web page with a login form that prompts for a user name and a password from the users. Now, a malicious user can write some script, which takes the users to a custom login form. Hence, now if the user types in his user name and password and submits the form, then these credentials will be visible to the malicious user, who can then use them to hack the user’s account. This is certainly not desirable.
To prevent these types of attacks, one should always filter the input data received from users to check for any malicious scripts. PHP provides few in-built functions that help in doing this. One of the important one among them is filter “input()”. Here, one can specify the type of filter desired. There are many different types of filters. Validate filters check if the input is a valid email, float, integer, URL, etc. based on the type of validate filter used. Sanitize filters are used to remove any unwanted characters from the input data, based on the type of sanitize filter applied. For instance, the FILTER_SANITIZE_NUMBER_INT will remove all the characters from the input data except digits, plus and minus sign. Also, one can use additional flags with these filters for more security. Another function which can be used is “htmlspecialchars()”. This function converts the special characters present in input data to HTML entities. This also prevents the malicious script from executing.
#2 Escaping Output
Another critical attack that can cause undesirable changes in the system is SQL injection attack. Here, attackers try to insert or inject their own malicious SQL script either in an existing SQL query or from user input. For example, consider the query “select username from users where id=5”. Now, an attacker can easily modify this query, so that it will always execute. Something like this, “select username from users where id=5 or 8=8”. Also, attackers can send malicious scripts directly from the user input.
These attacks can cause some severe damage to our systems. Fortunately, PHP provides some functions that are capable to handle them. The important one among them is “mysqli_real_escape_string()”. This function removes any special characters from the input data and makes it ready to be used in SQL statements. Also, one can use “mysqli_stmt_execute()” function to execute a prepared SQL query.
#3 Cross-site Request Forgery
In this type of attack, the users are tricked in making a request, which they are not aware about. For instance, consider there is a button on your web page that says “Check Status”. On clicking it, you get the status of your submitted application. However, a malicious user can change this button such that if you now click it, it goes ahead and deletes your submitted application. This is just a very trivial example, but in real world, there can be much worse attacks than this particular one.
Attacks of this nature can be tackled by paying careful attention to all the minute details in our application and verifying that there are no such loopholes for attackers to exploit. Also, some PHP frameworks like Laravel provide in-built constructs to handle Cross-site Request Forgery protection.
#4 Session Hijacking
Session hijacking refers to attacks in which the session id or session token of an authorized user gets compromised. Malicious users who are able to access this sensitive information can perform many actions that can do a good amount of damage to user data. They also gain access to any sensitive data stored in the session. For example, if you have users’ passwords stored in the session, then it can completely compromise the corresponding user’s account. Some of the most common ways in which this attack occurs are session sniffing, man-in-the-middle attack, predictable session tokens, etc.
There are a few steps that you need to take in order to reduce the risk of these kinds of attacks. Firstly, always use HTTPS. It provides good security mechanisms. Use secure cookies in addition to regular session cookies. This gives an additional layer of security and in this way, only the authorized users will have the secure cookie. Also, never use incremental integers for session IDs. Another good practice is to delete cookies after particular interval of time.
#5 Remote File Inclusion
This attack allows a malicious user to run code on your system and it can lead to several further types of hacking. Remote file inclusion is caused by a site vulnerability that allows hackers to deploy a malicious file onto the web server. This can be caused by improper use of “require()” and “include()” functions when the “register_globals” directive, a setting which controls the availability of super global variables, is ON (allowing the user to initialize variables remotely). If this directive is ON, an uninitialized variable can be used to include malicious files from remote locations, and if the “allow_url_fopen” is enabled in the php.ini file, then remote files can be uploaded to the site’s server via FTP or HTTP from a remote location.
These attacks can also cause some serious damage to our application. However, we can take some preventive measures to mitigate them. Make sure that the “register_globals” directive is turned off in your application. It is turned off by default in the later versions of PHP. By default, the “allow_url_fopen”, which checks if remote files should be includable, is set to on. We should set it to off. Also, authorized users should always be granted only a minimum set of privileges that are required by them to preform their necessary tasks. They should not be granted any additional privileges.
#6 Directory Traversal
This refers to the attacks in which malicious users gain access to restricted directories and execute commands outside of the web server’s root directory. Once inside the server’s system folders and files, they have access to all sorts of information and sensitive data including application source code and critical system files. The attacker may even delete or add files and can also modify the server’s setup.
The most important step to be taken in order to prevent these attacks is to do efficient user input validation and filtering. Additionally, we should never store any sensitive files inside the web server’s root. Also, a very careful approach needs to be taken while programming on the server side, like using security software and vulnerability scanners. The server software should be regularly updated with the current patches.
These are some of the major security concerns that all beginner PHP developers should be aware about. Apart from these, it is always a good practice to stay updated with all the latest security control mechanisms prevalent in the industry. Also, using a framework, corresponding to the type of PHP application architecture that is suitable for your application, is another good practice to follow. Next step: Go ahead and implement all these security mechanisms in your PHP application!