Tips to Create Secure PHP Applications

by Janeth Kent Date: 29-06-2019 php xss tips sql security injection

PHP is one of the most popular programming languages for the web. Such languages are very helpful for the programmer but the security holes in it can create a problem. They can create problems in the development path.Below are few tips to help you avoid some common PHP security pitfalls and development bug.

1. Use of Proper Error Reporting

Error reporting can be your best friend during the development process. Error reports helps you to find spelling mistakes in your variables and also detect incorrect function usage. Always make sure that you hide all the error reporting once you decide to make the site live.

This can be done by invoking the simple function “error_reporting(0)” at the top of your application file(s).

You should always make sure to log your errors to a protected file. Which help to detect the problem when something go wrong. Therefore, This can be done with the PHP function “set_error_handler”.

2. Disable PHP’s harmful Features

PHP’s creators have always included some features to make PHP development easier. Some of these helpful features can have unintended consequences.
We can call these as “bad features” because they have allowed data validation and created a path for bugs to finding their way into scripts. One of
the first things you should do when the development process begins is
disable certain of these features. Depending on the host which you are using, these may or may not be turned off for you. If you are developing on your own computer or any local environment, they probably won’t be turned off. Some of these features have also been removed in the upcoming PHP6, but are ubiquitous in PHP4 applications and are only deprecated in PHP5 applications.

3. Validate Input

With addition to escaping characters, another good way to protect input is to validate it. Normally you actually know what kind of data you are expecting on input.  So the simplest way to protect yourself against attacks is to make sure your users can only enter the appropriate data.

4. Watch for Cross Site Scripting (XSS) Attacks in User Input

A web application usually accepts input from users and displays it
in some way. They can be in a wide variety of forms. When accepting input, allowing HTML can be a dangerous thing,because that allows for JavaScript to be executed in unintended ways. If even one hole is left open, JavasScript can be executed and cookies could be hijacked. This cookie data could then be used to fake a real account and give an illegal user access to the website’s data. There are a some ways you can protect your site from such attacks. One way is to disallow HTML altogether, because then there is no possible way to allow any JavaScript to execute.

5. Protecting against SQL Injection

SQL injection attacks occur when data is not checked, and the application doesn’t escape characters used in SQL strings such as single quotes (‘) or double quotes (“). If these characters are not filtered out users can disturb the system by making queries always true and which allow them to trick  login systems.

MySQLi help protect your database input. We can do it in 2 ways.

Either with the mysqli_real_escape_string function when connected to a server or with prepared statements.

Prepared statements are a method of separating SQL logic from the data being passed to it. The functions used within the MySQLi library filter the input for us when we bind variables to the prepared statement.



by Janeth Kent Date: 29-06-2019 php xss tips sql security injection hits : 6509  
Janeth Kent

Janeth Kent

Licenciada en Bellas Artes y programadora por pasión. Cuando tengo un rato retoco fotos, edito vídeos y diseño cosas. El resto del tiempo escribo en MA-NO WEB DESIGN AND DEVELOPMENT.


Related Posts

Examine the 10 key PHP functions I use frequently

PHP never ceases to surprise me with its built-in capabilities. These are a few of the functions I find most fascinating.   1. Levenshtein This function uses the Levenshtein algorithm to calculate the…

How to Track Flight Status in real-time using the Flight Tracker API

The Flight Tracker API provides developers with the ability to access real-time flight status, which is extremely useful for integrating historical tracking or live queries of air traffic into your…

What is a JWT token and how does it work?

JWT tokens are a standard used to create application access tokens, enabling user authentication in web applications. Specifically, it follows the RFC 7519 standard. What is a JWT token A JWT token…

How to fix excessive MySQL CPU usage

What happens if we realise that a series of databases that we thought were optimised through the use of indexes, have begun to consume CPU usage time of a server…

PHP - The Singleton Pattern

The Singleton Pattern is one of the GoF (Gang of Four) Patterns. This particular pattern provides a method for limiting the number of instances of an object to just one.…

How to connect to MySQL with Node.js

Let's see how you can connect to a MySQL database using Node.js, the popular JavaScript runtime environment. Before we start, it is important to note that you must have Node.js installed…

The ultimate cybersecurity checklist for programmers

In today's digital age, cybersecurity has become an essential concern for programmers. With cyber threats on the rise, it is crucial for programmers to adopt robust security practices to protect…

How to Send Email from an HTML Contact Form

In today’s article we will write about how to make a working form that upon hitting that submit button will be functional and send the email (to you as a…

Network attacks and how to avoid them

Nowadays it is impossible to list all the different types of attacks that can be carried out on a network, as in the world of security this varies continuously. We…

6 Best Alternative Privacy Focused Browsers in 2021

In today's article we take a look at free private browsers which are relevant in 2021. We will compare their advantages and disadvantages, specs, etc. Let's get into it. What are alternative…

htaccess Rules to Help Protect from SQL Injections and XSS

This list of rules by no means is a sure bet to secure your web services, but it will help in preventing script-kiddings from doing some basic browsing around. MySQL injection…

Interesting and Helpful Google Search Features You’ll Want to Start Using

Google – THE search engine for many internet users. It has been with us since its launch back in 1998 and thanks to its simplicity of use and genius algorithms,…