PHP Security Best Practices – 1

by Shubham Posted on
Shubham
Latest posts by Shubham (see all)

Title: PHP Security
Scope of article
In the open source world, PHP programming is always given first choice due to its availability and flexibility. It is a powerful server side scripting language, and provides a robust framework to create versatile web applications. However few most recent virus attacks on php based websites have shown that, this power can be diminished if the programmer doesn’t take into account few important security measures. This article talks about few important challenges in PHP programming from security point of view and provides solutions to avoid or mitigate those risks.
How PHP works
Before we get to it, let’s quickly see how PHP works. Typically PHP runs on Apache web server; however it can also run of commercial web platforms such as Microsoft IIS. PHP is a set of libraries installed on the web server side, which forms a framework to process web requests. It also has necessary bells and whistles to perform backend database connectivity and calling web services. Important part of its engine is to generate dynamic html based on the program being executed and communicate it back to the browser over http connection. PHP does not process HTML, CSS templates or JavaScript, this is because those are the client side scripts and hence are rendered and processed on browser side.
Let’s talk about website security in general first. No security can be possible without a complete solution around a web server. For example, a properly configured firewall, hardened operating system, locked down web server and backend database are essential for an end to end website security. As for PHP from the security perspective, please note that it is a versatile programming language; however it doesn’t provide any inherent, built-in automatic means to secure your code. It is up to the programmer to understand security problems and ensure that their code handles those situations properly. When we talk about security in a web application it boils down to two categories, the remote and the local. Local exploitation is caused due to incorrect or imperfect setup of web servers and the configuration of operating system on which it runs. Whereas, the remote exploitation takes place by an ill-behaved user who knows how to exploit the code level vulnerabilities and thus can make their way to the intricate details of the web deployment system. There are ways to mitigate risks in both of these categories, and before we talk about it, please see table below which show typical security problems with their examples.
Problem Area Possible Exploit
Forms Processing Form Submit Spoofing
Sessions Session Hi-jacking
Databases SQL Injection
Shared Hosts File system Exposure

PHP Security
Referring to the table above, please note that there are many problem areas with possible exploits, however this article limits to only those which are found frequently. Forms processing is a vital area of many websites. Pages such as contact us and brochure download can contain simple text boxes and a forms submit button. When user fills the information in, and submits the form, the information entered makes its way to the server. If this information is not being parsed for errors and not being validated for malicious attacks, it can lead to trouble. For example, a non-validating form can accept JavaScript which can get executed on the server. The same applies to XML and HTML content.
Please remember that the form is always on the browser side and hence very easy to re-construct to launch an attack. To elaborate further, let’s say that a form submit is accepting an email address, to which an email bulletin will be sent everyday and hence the email address will be stored in a database. If the malicious user enters a space character or leaves it blank, that would make its way to the database if not validated. There are two problems here, firstly the database will have bogus blank entries, and secondly when email server does it daily job, it will have to deal with sending emails to blank addresses, which can possibly create problems on the email server itself. In PHP the form submitted values can be intercepted on the receiving page by using $_POST function. These values can then be parsed and user can be sent to an error page upon incorrect form entries. Let’s take another example. Suppose a form is being submitted which accepts date range. The program is then supposed to use that info to construct SQL query to pull up data records in that date range. In this case if the validation for date range is not performed to restrict specific dates, malicious attempt could be made to provide a very wide range resulting into SQL query that will return millions of results, thus taking down the database server and website. Non validation of forms can also result into cross site scripting attacks, as well as HTTP request spoofing attacks.
Speaking of database related security problems, please note that the PHP engine works with web server’s operating system to connect to the database and perform SQL operations. There can be security challenges in the way the SQL server is accessed. For example, the SQL connection must be opened on the PHP server side scripting which is enclosed in the tags. It is a common mistake to perform sql connectivity via the JavaScript, which exposed the database user name and password on the client side, thus compromising the security. Secondly, if the SQL query is being constructed based on the user’s input through forms, it is important to validate the entries as explained above. If not done, it can lead to SQL injection attack. Let’s take an example of a form accepting user name in the form which is then being inserted into a database table by using PHP code below.

If we carefully see the code, it shows that the username being accessed through the submitted form is being inserted without any validation. Now consider what would happen if a hacker writes DROP TABLE or any other intrusive SQL command instead of the user name. Since there is no validation, it will get executed causing data loss. This is the simplest form of SQL injection and unfortunately even today most of the websites are found to be vulnerable due to this attack.
When a browser connects to web server running PHP, it establishes a session which is used by the server to deliver page and its contents which are requested. Sessions are important because it helps PHP engine a way to preserve data across subsequent actions. This further helps programmers to build more sophisticated and user friendly applications. Each session contains its own identifier and there are multiple functions available in PHP to deal with the session and its variables. The security problem with a session is that it can be either guessed, or predicted or destroyed. As an example, if a PHP based website stores the logged in user’s username in the session, it is absolutely important that on each page request the user name is checked. PHP provides $_Session function to retrieve session variables and should be used properly for this purpose. If this sort of parsing is not done, then an advanced hacker can steal the session and impersonate as the user, causing data theft.
Summary
As explained earlier, PHP security is not a built-in feature which can simply be turned on. It is a consolidated effort from web server to the operating system. Besides that, the secure programming practices demands developers to understand implications of their coding and mitigating risks by taking correct security measure. PHP provides many functions which should be studied and implemented. This is especially true for shopping cart websites which are hosted on apache-php engines.
About the author
Supriya Awati
Supriya is a PHP developer, loves web programming and has a passion for server and client side scripting. She is fascinated with the idea of combining facebook and open source tools for making programmers’ life easy. She works at Valency Networks (www.valencynetworks.com) as a cyber security product designer and can be reached at supriya@valencynetworks.com.