PHP Security issues

PHP Coding
PHP scripts
HI, What are security loopholes that one must be careful while writing PHP code that interacts with databases and user accounts? I will be grateful for any help that is given regarding this.

Answer Wiki

Thanks. We'll let you know when a new response is added.

There is a number of things you can do to to protect your php based website. I’m not going to go into great detail of these as it would take too long, but I will give you basics for you to do some research on:

Firstly, ensure that display_errors is OFF on your production website as having this ON can give away details you don’t want people to know. ON for development, OFF for production.

Secondly, protect yourself against nasty SQL injections using the PHP mysql_real_escape_string() function. Very simple to use and stops people from adding bits to your query window, like putting there name as Dave; drop clients; which could potentially drop the clients table if it exists.

Thirdly, do a bit of research of XSS (cross site scripting) to make sure you are secure from it.

Fourth, ensure that important site details, like config files and database strings and even text based database files are outside of the main site structure, which stops them being viewed via a browser. You can include them using the full file path.

Fifthly, investigate the allow_url_fopen and allow_url_include directives for the php.ini file and set accordingly. This can stop external scripts from overwriting or inserting into your webfiles.

Sixthly, protect your session ID by changing it often, reducing the risk that an intercepted session ID being valid. Done using the PHP session_regenerate_id() function. If it’s PHP 5.2+ then you can tell the browser that Javascript should not be given access to the cookie using the “httponly” flag. You can. Also, store your sessions in a database rather than at a file level and if you have to store them at a file level, store them at a private directory only available to you. You can use the directive called session.save_path
to set another path for storing them. You can also store them in a database,
but then you will have to write your own handler using the function called

Several other things but that should protect you from most intrusions.

Discuss This Question: 1  Reply

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.
  • Koohiisan
    I seem to recall a general PHP security danger to do with 'register_globals'. You might want to make sure this doesn't harm you. It's been a while since I used this, so I don't know how big of an issue that is nowadays. But, I think it may have been on as a default on some versions of PHP.
    5,045 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

Thanks! We'll email you when relevant content is added and updated.


Share this item with your network: