PHP is one of the most popular programming language used today.
PHP application development has seen immense growth in the past decade.
Being open source is one of the main reasons for it is popularity
amongst developers - the other top reason is its rich features.
Programmer friendliness is definitely appeasing, but with all web
applications, there comes one very important consideration - security.
What good is an application if it can be easily hacked into and broken. A
robust code that includes tight security can help you build a great
application.
Here's outlining for you the top five security considerations for PHP Application Development:
Be aware of cross site scripting:
This generally occurs when your website or application allows users to post messages - like forums. Some malicious users whose intent is hijacking of course, can easily enter a <script> tag and reload your web page to a site that they control. How difficult is it then to collect another user's cookie and session information? Well, here's how you can avoid this. Whenever there is a user submitted data to your website, ensure that you do not allow display of HTML syntax - only allow plain text. Well, some might say that it is mandatory for the forum to allow HTML content to be submitted by user, then the only option is to exclude potentially mis - usable tags like <script>. Of course, this slightly loosens security.
Unvalidated Inputs:
Whenever your application has a user input, it is but natural that there are going to be errors - either a mistake or a deliberate attempt to break the code. Ensure that you validate user input data by including a code that will reject anything otherwise. For example if you are expecting a numeric input, all alphabetic or alpha - numeric inputs should be rejected by your code. Even a null input must be considered for action - either accept or reject.
Session ID:
In PHP Application Development, session ID hacking is a very important consideration. If anyone tracks your session ID, he can see all your information. So, always use authentication or re-validation of the user while resetting passwords or entering sensitive information like credit card numbers etc. Another alternative is to use SSL (Secure Socket Layer) connections which show greater protection against sniffing of session Ids.
Error Reports:
This is just a pointer. If your display_errors php.ini file is not set to 0, all your database connection errors will be displayed to the end-user. Any user with a malicious intent can then easily get information about the internal working of your PHP application. This is just a check point - just to be aware of.
Unencrypted HTTP Transmissions:
Ensure that all data handling for sensitive user input data like credit card numbers or bank transactions are done over a secure connection like HTTPS. Here's where you use SSL again. Same goes for FTP - use SFTP instead to transmit sensitive files.
Well, all said and done, PHP Application Development with the more recent versions of PHP comes with better default settings. Yet, ensure that your code does not leave loopholes for the malicious minds!
Here's outlining for you the top five security considerations for PHP Application Development:
Be aware of cross site scripting:
This generally occurs when your website or application allows users to post messages - like forums. Some malicious users whose intent is hijacking of course, can easily enter a <script> tag and reload your web page to a site that they control. How difficult is it then to collect another user's cookie and session information? Well, here's how you can avoid this. Whenever there is a user submitted data to your website, ensure that you do not allow display of HTML syntax - only allow plain text. Well, some might say that it is mandatory for the forum to allow HTML content to be submitted by user, then the only option is to exclude potentially mis - usable tags like <script>. Of course, this slightly loosens security.
Unvalidated Inputs:
Whenever your application has a user input, it is but natural that there are going to be errors - either a mistake or a deliberate attempt to break the code. Ensure that you validate user input data by including a code that will reject anything otherwise. For example if you are expecting a numeric input, all alphabetic or alpha - numeric inputs should be rejected by your code. Even a null input must be considered for action - either accept or reject.
Session ID:
In PHP Application Development, session ID hacking is a very important consideration. If anyone tracks your session ID, he can see all your information. So, always use authentication or re-validation of the user while resetting passwords or entering sensitive information like credit card numbers etc. Another alternative is to use SSL (Secure Socket Layer) connections which show greater protection against sniffing of session Ids.
Error Reports:
This is just a pointer. If your display_errors php.ini file is not set to 0, all your database connection errors will be displayed to the end-user. Any user with a malicious intent can then easily get information about the internal working of your PHP application. This is just a check point - just to be aware of.
Unencrypted HTTP Transmissions:
Ensure that all data handling for sensitive user input data like credit card numbers or bank transactions are done over a secure connection like HTTPS. Here's where you use SSL again. Same goes for FTP - use SFTP instead to transmit sensitive files.
Well, all said and done, PHP Application Development with the more recent versions of PHP comes with better default settings. Yet, ensure that your code does not leave loopholes for the malicious minds!
No comments:
Post a Comment