May 05

PHP Security – Guidelines

PHP Security - Guidelines

  • Do not store sensitive information in Cookies
  • Instead of cookies, store sensitive information in Sessions
  • Sessions can also be hacked though safer than cookies
  • PHP session id is pretty random; so in general this is not a problem.
  • Reducing the session security problem: determine current user is the one who originally initiated session. if not, deny access
  • Regenerate session ids after login, on initialization
  • Change the session variable name and the path to save [session_save_path(), session_name ("xyz") ]
  • Reduce session runtime [session.gc_maxlifetime]
  • use SSL [force users to use SSL]
  • do not use .inc files and do not keep php code inside them
  • Do not use dynamic file path for require and include
  • Do not use relative file path [use absolute file path]
  • Do not trust user input to prevent XSS
  • use htmlspecialchars(). strip_tags(), htmlentities() on the user input
  • To prevent Cross-site Request Forgeries (CSRF), check $_SERVER ['HTTP_REFERER']
  • You may want to use token in your session to prevent CSRF. Re-authenticate for sensitive operations
  • When you use third party tools, do not install them in their default loation
  • When error situation occurs in your code, just stop
  • Use authorization to allow a user the minimal right he/she needs
  • Double check where you are using eval()
  • use mysql_real_escape_string() on the user provided data to be used in Databasequeries
  • Use prepared statements or stored procedures
  • Double verify the data types. do not accept string where the data has to be integer [ctype_digit()., filter_var() do not use is_int() and is_numeric()]
  • Keep log files and check your log files time to time
  • do not display detail error messages in your live site. But you can log the erros for your own checking
  • do not use standard login names such as administrator, root
  • do not put your administration module under folder named admin
  • You can even use a different file extension other than .php [but not .inc]
  • Stop spamming using your contact form. Validate email address. use filter_var()
  • encrypt sensitive information
  • initialize variables when first declared
  • Disable register_globals in php.ini
  • do not use $_REQUEST, instead use $_GET and $_POST
  • When developing use E_ALL to know all the possible errors. but turn off E_ALL in live site
  • Type Cast and verify data. Only allow the appropriate data type
  • use ctype_alnum(), ctype_alpha(), ctype_xdigit()
  • Use htmlspecialchars() and htmlentities() more than using strip_tags()
  • SQL escaping (to prevent SQL Injection): mysql_escape_string(), mysql_real_escape_string(), pg_escape_string(), pg_escape_bytea(), sqlite_escape_string()
  • to avoid double escaping use get_magic_quotes_gpc()
  • Session security technique: compare with the browser signature headers. if no match, destroy the session.
  • for shared hosting use the following two php.ini directives properly: open_basedir, safe_mode
Skip to toolbar