PHP Web Application Security

It is important to secure web applications otherwise attackers can damage users data like emails, passwords, personal identity data, credit card details, business secrets, family and friend contacts, transaction history. User damage will cause the damage of company. User will loose the trust on company and company will loose good reputation and it will affect on business. Here in this article we are going to cover most common security threads in PHP scripts.


SQL injection

SQL injection is a kind of attack that malicious users enter SQL in form fields in a way that affects the execution of SQL statements.  Using SQL Injection attacker can access the database of the website and get all details from the Database.

<?php
$username = $_POST['username'];
$query = "select * from user where username = '" . $username . "'";
?>

In the above code there is no any input validation or filteration of user data. In this case user can enter sql statement instead of username like “'myusername' OR 'x'='x'”. The 'x' = 'x' is true regardless of first part. So attacker will bypass login without knowing the username and password.

How to prevent sql injection:

  1. Don't trust on user input. Always do required filteration and validation of user input.
  2. Javascript validation is not sufficient, always do a server side validation.

  3. Filter data using “mysql_real_escape_string” function.

  4. Use prepared statements and bind variables.
    Example:

    <?php
    $username = $_POST['username'];
    $query = "select * from user WHERE username=:username";
    $stmt = $db->prepare($query);
    $stmt->execute(array(":username" => $username));
    ?>


XSS

Cross-site scripting attack (XSS attack) is a kind of atack where user can add code on webpage. User can add some javascript code on webpage and if that data is displayed without filtering then that javascript code will get executed. It will cause unwanted popups, redirects, stealing cookies, corrupted pages.

How to prevent XSS:

  1. Do “strip_tags()” for input data.
  2. Apply “htmlentities()” function on the data while outputing data on webpage.

Session hijacking

It includes stealing of session id if it is stored in cookies. Attackers can steal cookies by using XSS and javascript.

How to prevent Session hijacking:

  1. Regenerate session Ids
  2. Always user SSL while using session

Cross Site Request Forgeries (CSRF)

In a Cross Site Request Forgery (CSRF) attack, the attacker will do tricks to steal sensitive information or to make a transaction.

How to prevent CSRF:

  1. Do any processing of data which will do changes in database on in POST request.
  2. Do not use $_REQUEST, instead use $_GET to retrieve GET params and $_POST to retrieve params.

  3. Generate random CSRF token and store it in session and verify it on each POST request.

Protecting the File System

If PHP script is downloading a file depending on user params.

<?php
$file = $_GET['file'];
echo file_get_contents($file);
?>

In above case it is very dangerous because such a script will serve files from any directory which are accessible such as system directory.

How to protect File System:

  1. Script should only serve files which are allowed to download.

Proper Error Handling

While developing the application errors are usefull to find out problems in a script but when we make the application accessible to end user that that time showing error on application may cause our application vulnerable.

How to do proper error handling:

  1. On live application turn off “display_errors” and “display_start_up_errors”.
  2. “error_reporting” and “log_errors” should be on so we can find out if any error occurs on live application.

  3. Set “set_error_handler” so we can show proper custom error message to user.

Categories: Flow Framework

Copyright © 2019 Lelesys Informatik GmbH, Deutschland. All Rights Reserved.