PHP Security Best Practices – 1
Title: PHP Security
Scope of article
In the open source world, PHP programming is always given first choice due to its availability and flexibility. It is a powerful server side scripting language, and provides a robust framework to create versatile web applications. However few most recent virus attacks on php based websites have shown that, this power can be diminished if the programmer doesn’t take into account few important security measures. This article talks about few important challenges in PHP programming from security point of view and provides solutions to avoid or mitigate those risks.
How PHP works
Let’s talk about website security in general first. No security can be possible without a complete solution around a web server. For example, a properly configured firewall, hardened operating system, locked down web server and backend database are essential for an end to end website security. As for PHP from the security perspective, please note that it is a versatile programming language; however it doesn’t provide any inherent, built-in automatic means to secure your code. It is up to the programmer to understand security problems and ensure that their code handles those situations properly. When we talk about security in a web application it boils down to two categories, the remote and the local. Local exploitation is caused due to incorrect or imperfect setup of web servers and the configuration of operating system on which it runs. Whereas, the remote exploitation takes place by an ill-behaved user who knows how to exploit the code level vulnerabilities and thus can make their way to the intricate details of the web deployment system. There are ways to mitigate risks in both of these categories, and before we talk about it, please see table below which show typical security problems with their examples.
Problem Area Possible Exploit
Forms Processing Form Submit Spoofing
Sessions Session Hi-jacking
Databases SQL Injection
Shared Hosts File system Exposure
Please remember that the form is always on the browser side and hence very easy to re-construct to launch an attack. To elaborate further, let’s say that a form submit is accepting an email address, to which an email bulletin will be sent everyday and hence the email address will be stored in a database. If the malicious user enters a space character or leaves it blank, that would make its way to the database if not validated. There are two problems here, firstly the database will have bogus blank entries, and secondly when email server does it daily job, it will have to deal with sending emails to blank addresses, which can possibly create problems on the email server itself. In PHP the form submitted values can be intercepted on the receiving page by using $_POST function. These values can then be parsed and user can be sent to an error page upon incorrect form entries. Let’s take another example. Suppose a form is being submitted which accepts date range. The program is then supposed to use that info to construct SQL query to pull up data records in that date range. In this case if the validation for date range is not performed to restrict specific dates, malicious attempt could be made to provide a very wide range resulting into SQL query that will return millions of results, thus taking down the database server and website. Non validation of forms can also result into cross site scripting attacks, as well as HTTP request spoofing attacks.
If we carefully see the code, it shows that the username being accessed through the submitted form is being inserted without any validation. Now consider what would happen if a hacker writes DROP TABLE or any other intrusive SQL command instead of the user name. Since there is no validation, it will get executed causing data loss. This is the simplest form of SQL injection and unfortunately even today most of the websites are found to be vulnerable due to this attack.
When a browser connects to web server running PHP, it establishes a session which is used by the server to deliver page and its contents which are requested. Sessions are important because it helps PHP engine a way to preserve data across subsequent actions. This further helps programmers to build more sophisticated and user friendly applications. Each session contains its own identifier and there are multiple functions available in PHP to deal with the session and its variables. The security problem with a session is that it can be either guessed, or predicted or destroyed. As an example, if a PHP based website stores the logged in user’s username in the session, it is absolutely important that on each page request the user name is checked. PHP provides $_Session function to retrieve session variables and should be used properly for this purpose. If this sort of parsing is not done, then an advanced hacker can steal the session and impersonate as the user, causing data theft.
As explained earlier, PHP security is not a built-in feature which can simply be turned on. It is a consolidated effort from web server to the operating system. Besides that, the secure programming practices demands developers to understand implications of their coding and mitigating risks by taking correct security measure. PHP provides many functions which should be studied and implemented. This is especially true for shopping cart websites which are hosted on apache-php engines.
About the author
Supriya is a PHP developer, loves web programming and has a passion for server and client side scripting. She is fascinated with the idea of combining facebook and open source tools for making programmers’ life easy. She works at Valency Networks (www.valencynetworks.com) as a cyber security product designer and can be reached at email@example.com.