Is PHP as safe as HTML

This makes PHP more secure

Stephan Lamprecht

The PHP script language is an essential requirement for dynamic web content. However, PHP is not considered to be particularly secure. There are some mandatory measures that significantly increase the security of PHP scripts.

Programs like Wordpress or Typo 3 are largely based on PHP. Since it was first published in 1995, the Hypertext Preprocessor has become one of the most important tools for developing dynamic websites. A lot is possible with PHP programs, but functions that can be used to read and edit content from databases cause problems again and again. Attackers often use security gaps that have just been discovered. Often, however, criminal carelessness on the part of the administrator opens the door to successful attacks.

Secure the PHP installation

Whether you operate a local web server that is only accessible to the public for a few hours or work with a dedicated server at a provider: Gaps in PHP are always used by bots and automated scripts as a stepping stone to penetrate deeper into other systems. A secure PHP environment starts with configuring the libraries. If you want to see the current PHP configuration, create a file with any name and the ending ".php" with an editor of your choice. In the file you write:

You then upload the file to the directory “/ var / www /” or “/ var / www / html /”. Then use a browser to retrieve the file from your server. PHP now delivers all settings clearly and also shows information about installed modules.

EnlargePHP info file on the server: Three lines of PHP code are sufficient to view the current configuration of PHP on the server.

The “php.ini” file, which is usually located in the “/ etc /” directory on Linux systems, serves as the settings center for PHP. On Ubuntu, for example, you will find the file under “etc / php5 / apache2”, provided the Apache server is used. In this "php.ini" look for the entry "register_globals" and change the value to "register_globals = Off". If the line does not yet exist, create a new one. This prevents an attacker from being able to access the parameters directly from a URL in order to use them for their own purposes. If an attacker suspects the existence of a script or if its existence is known (for example in the case of standard software), he can transfer his own variables to him without these having to be defined first. Also turn off the display of error messages. Because the error messages in the browser provide hackers and attackers with important information that can possibly be creatively exploited. On a productive system that can be reached on the web, the instruction “display_errors =” should therefore be set to “Off” in “php.ini”.

EnlargeHTML output from phpinfo (): The server delivers all settings and components of the PHP installation on a clearly laid out page.

Reject curious glances

Many security problems arise from an inadequately secured installation of the web server or from disproportionate trust in the user. When developing a script, care should be taken to ensure that all external information and elements are stored outside the hierarchy of the folder for web documents. So that the server can deliver pages and scripts, these must be in the “/ var / www” folder. However, this does not apply to image references or other files. Access it with absolute path information.

Also prohibit the user from scrolling through directories. Put it to the test once. Wherever you can find a document with the address " / directory / name.htm" on the web, simply omit the name of the file as a trial. You will be surprised at how many servers you can then see the entire directory structure on. To prohibit such browsing, protect the server directories by creating the ".htaccess" file. In this one you use this instruction:

This prohibits the display of directory contents.

Prevent SQL injections

SQL injections inject additional values ​​into queries that are transferred to the database. If the script is not protected, an attacker can, in the worst case, read data. You can reduce this risk by using the PHP module Mysqli. To read a user name from a "members" table, for example, the call looks like this:

Mysqli checks the validity of entered parameters and prevents SQL injections.

Mysqli uses prepared statements: The query receives placeholders at the points where variables are to be read or transferred. This can also be achieved manually with the appropriate code and basically looks like this:

This example queries the "id" field in the database. The variable "$ id" is then used within the statement.

Do not trust user input

Robots and attackers will always try to inject code into URLs, function calls or form fields to find out how the PHP application reacts. The most important rule is distrust of user input. Only accept entries that you have checked. That makes more work in development, but increases security.

EnlargeControl of user rights: In addition to the important security of PHP, you should not forget to control the rights in the folder with the HTML documents.

An example: A form in which the user should enter his / her date of birth allows the day and month with two digits and a four-digit year. Anything else is not allowed. This information must now be checked. To do this, you use regular expressions. Dealing with this is not easy for beginners, because not only do they want to learn the syntax, but first the appropriate condition has to be found, which is then to be displayed. For all entries made by the user in the form of “POST” or “GET”, therefore, check the permitted characters and the length of the entry. A validation for the example mentioned looks like this:

If you take these measures into account when developing your own scripts and configuring the server, you will have successfully closed prominent gateways for hackers and data thieves.