PHP is the most used language on the web. It is used to develop webpages and help a webpage to respond to its users properly. Websites like Facebook, Yahoo, Wikipedia also uses PHP. The Language itself is easy to understand however if you make an error in your coding than you may give your audience more information than you intend to. Information like your folder structure and other things can be leaked because of poor programming. This is the reason why I’m here today. Here is a few tips that can help you to code PHP securely.
1. Use error_reporting(0);
When you are running PHP locally i.e on your computer using XAMPP or WAMP then you need to see the errors because these help you to solve the issues.
When your website goes live then you do not need to show these errors. Because these errors can compromise your Privacy. Instead of using nothing or error_reporting(E_ALL); on local server, you need to use error_reporting(0); when you make your website live. This Would Help You a lot by not showing any error to your viewers.
2. Using POST Method Instead Of GET Method
If you have been programming for a long time then you might be aware of POST and GET methods. Right!!. If not tell me in comment section below, i will make a new post on that also. When you use GET methods like the image shows below then you tell your viewers what variables you are using and then any clever viewer can just modify your variable’s value and could get into your server.
So be aware and ensure to use the POST method instead of GET method.
3. Validate Input
In addition to escaping character, another great way to protect input is to Validate it.
For example :- You have a Sign up form where you have an email section, password section and date of birth section. Here you need to Validate the Email And D.O.B Section. You need to Make sure that Email Section Contains a @ and The D.O.B section Must contain only numbers.
This way you secure your website From some kind of SQL injections.
You can use the preg_match(); to do so.
4. Check For XSS Attack In User Input
You yourself need to check your website against XSS attack. Because these attacks can be dangerous. You can check this in the section where your users can comment or post something. Just go to comment section and try putting <script>alert(‘OMG. There is a possibility.’);</script> . If this code result in nothing then your website is safe. And If you get a message then you need to secure your website from XSS attacks.
You can try to disable the use of things like < or > in the comment section. Or Try to Usepreg_replace(); .
5. Protection against SQL Injection
SQL Injection is a very dangerous and critical problem faced by us. Information about our users may be vulnerable to hackers. This problem arises when we do not replace ‘ or ‘’ in our input system.
Luckily this may be fixed. Just add mysqli_real_escape_string to your PHP code. For Example:- You can use it like this. mysqli_real_escape_string($_POST[‘email’]);
This one line of code can make a big change to your website and protect your website.
These were just a few tips that can help you to write your PHP code securely. Just remember to always follow these tips while writing code.
Original Post: http://codingsec.net/2015/03/few-tips-to-code-php-securely/