When new developers first start learning PHP, they don’t learn about security as much as they do PHP”s language structure. Security is just as important to learn as is the language’s structure itself. Without secure code you may create larger issues. A user could take over a web server due to a security hole in your code. This is something you don’t want to be explaining to your boss, or hosting company the next day.
Prevent MySQL Injections
Some very common security issues is not sanitizing user’s inputs. Most new programmers will create code and not worry about making for sure the user’s input safe before using it. This security flaw mostly comes from variables passes between pages with POST or GET, then using that data as is. So what types of risk are at hand for this type of attack, well there are a lot. This type of attack, depending on how the passed variables used, could cause your database to be compromised, or even worse it could lead to loosing your entire website. So how do you sanitize your code? Well that really depends on the code itself. One way is if you are expecting a numeric value use PHP’s is_numeric. If you are passing variables to a MySQL query, make for sure you use mysql_real_escape_string before or during the query. If you don’t, all a person would need to do is add “‘ ‘1’=’1′; to a variable in order to get access your site’s database.
Protect your files
This isn’t directly a PHP security flaw, but it is good practice to put a index.php or index.html in each of your websites sub-directories. This is because your source code can be viewed by any user, and any user can find out your directory that holds any of your scripts. Then any of your scripts can be downloaded, and the user has access to your code. This may not sound like a big issue, but if you have a configuration file that has your database user and password, now the user has access to that information. Depending on how the user’s rights are set up, the user now can access your database and retrieve any information that they want.
Encrypt all passwords
If you are storing passwords, then make for sure you are not storing them as plain text. Instead, you should store passwords as hashes. A hash uses a math function to “change” the password to something harder to read. There are two popular hashes used in PHP, md5 (considered less secure/insecure) and sha-1, but each are better then plain text. By creating a hashed password, if someone obtains a password for any user on your site, it will take them longer to break the security and to hack that account.
Sessions are very useful to programmers. They allow you to store variables and retrieve them at any time. The issue with sessions are that they can be hijacked if a user knows the session id, they can spoof who they are. This hijacking works across browsers, and even across computers. If you do have to process sensitive data, either encrypt it before storing it in a session or store the information in a secure method, say in a database, and verify that the user has access to that information before using the information.
Security is a subject that not a lot of people like to think about. Most people have the mentality that it isn’t going to happen to them, but as a programmer you should ensure that it doesn’t by taking the extra steps to secure your code. If you ever have a site that has been compromised, then you will understand that taking the time to deal with security first, is better then having to clean up after the after mass.