Is PHP as safe as HTML
This makes PHP more secure
The PHP script language is an essential requirement for dynamic web content. However, PHP is not considered to be particularly secure. There are some mandatory measures that significantly increase the security of PHP scripts.
Programs like Wordpress or Typo 3 are largely based on PHP. Since it was first published in 1995, the Hypertext Preprocessor has become one of the most important tools for developing dynamic websites. A lot is possible with PHP programs, but functions that can be used to read and edit content from databases cause problems again and again. Attackers often use security gaps that have just been discovered. Often, however, criminal carelessness on the part of the administrator opens the door to successful attacks.
Secure the PHP installation
Whether you operate a local web server that is only accessible to the public for a few hours or work with a dedicated server at a provider: Gaps in PHP are always used by bots and automated scripts as a stepping stone to penetrate deeper into other systems. A secure PHP environment starts with configuring the libraries. If you want to see the current PHP configuration, create a file with any name and the ending ".php" with an editor of your choice. In the file you write:
You then upload the file to the directory “/ var / www /” or “/ var / www / html /”. Then use a browser to retrieve the file from your server. PHP now delivers all settings clearly and also shows information about installed modules.
The “php.ini” file, which is usually located in the “/ etc /” directory on Linux systems, serves as the settings center for PHP. On Ubuntu, for example, you will find the file under “etc / php5 / apache2”, provided the Apache server is used. In this "php.ini" look for the entry "register_globals" and change the value to "register_globals = Off". If the line does not yet exist, create a new one. This prevents an attacker from being able to access the parameters directly from a URL in order to use them for their own purposes. If an attacker suspects the existence of a script or if its existence is known (for example in the case of standard software), he can transfer his own variables to him without these having to be defined first. Also turn off the display of error messages. Because the error messages in the browser provide hackers and attackers with important information that can possibly be creatively exploited. On a productive system that can be reached on the web, the instruction “display_errors =” should therefore be set to “Off” in “php.ini”.
Reject curious glances
Many security problems arise from an inadequately secured installation of the web server or from disproportionate trust in the user. When developing a script, care should be taken to ensure that all external information and elements are stored outside the hierarchy of the folder for web documents. So that the server can deliver pages and scripts, these must be in the “/ var / www” folder. However, this does not apply to image references or other files. Access it with absolute path information.
Also prohibit the user from scrolling through directories. Put it to the test once. Wherever you can find a document with the address "www.name.tld / directory / name.htm" on the web, simply omit the name of the file as a trial. You will be surprised at how many servers you can then see the entire directory structure on. To prohibit such browsing, protect the server directories by creating the ".htaccess" file. In this one you use this instruction:
This prohibits the display of directory contents.
Prevent SQL injections
SQL injections inject additional values into queries that are transferred to the database. If the script is not protected, an attacker can, in the worst case, read data. You can reduce this risk by using the PHP module Mysqli. To read a user name from a "members" table, for example, the call looks like this:
Mysqli checks the validity of entered parameters and prevents SQL injections.
Mysqli uses prepared statements: The query receives placeholders at the points where variables are to be read or transferred. This can also be achieved manually with the appropriate code and basically looks like this:
This example queries the "id" field in the database. The variable "$ id" is then used within the statement.
Do not trust user input
Robots and attackers will always try to inject code into URLs, function calls or form fields to find out how the PHP application reacts. The most important rule is distrust of user input. Only accept entries that you have checked. That makes more work in development, but increases security.
An example: A form in which the user should enter his / her date of birth allows the day and month with two digits and a four-digit year. Anything else is not allowed. This information must now be checked. To do this, you use regular expressions. Dealing with this is not easy for beginners, because not only do they want to learn the syntax, but first the appropriate condition has to be found, which is then to be displayed. For all entries made by the user in the form of “POST” or “GET”, therefore, check the permitted characters and the length of the entry. A validation for the example mentioned looks like this:
If you take these measures into account when developing your own scripts and configuring the server, you will have successfully closed prominent gateways for hackers and data thieves.
- What does ICICI Direct
- What is a normal door size
- Accepts Harvard IB students
- How can I become like The Flash
- Is anti-social behavior genetic
- Should a person complain about unwanted help
- How do we live a happy life
- How is a budget drawn up?
- What is a recommended happy anime
- How will the Trump presidency affect Myanmar
- How does a woman regain hair
- Will ISIS reappear in 2020
- What are the basics of blues dance
- What did you learn from Alan Kay
- Investing is about beating the market
- Is the BSE institute good
- Are sodas taxed in Texas
- Removes a permanent marker pen from anything
- Who is your favorite tennis player
- What does this code do in C.
- What is a financial bank guarantee
- Can the media speak to my dead dog
- What is a high level tactical operation
- Who eats bears