Tuesday, June 30, 2009

PHP: Taking care of security

Today highly confidential data such as credit card number, social security number etc are stored and handle through web. So it must be your primary goal to make your web application secure enough, so that users/visitor feels confident enough while using your application.

Here in this article I am going to give you some tips that are worthy to be remembered and taken care of in application development process.

1. You may have heard about register_globals. They make PHP variables usage easy. However they have certain disadvantages such as users can easily sneak into your application by easily passing data through $_POST, $_GET or $_COOKIE etc. So you shouldn’t rely on register_global. Disable them would be nice decision.
2. Most of the time we use variable directly, without first initializing them. For example

if (condition) {

$flag = TRUE;


If you don’t initialize $flag to false, user can easily set it to true using, $_POST, $_GET or $_COOKIE.

1. Verify all incoming data before processing. Verification highly depends on the type of data. If you need to insert integer data in the database, make sure that proper data is submitted through form.
2. Be very much careful when using function that run commands on the server. These function include exec(), passthru() and backticks (“) etc.
3. You must change the directory where session data is stored by default. Another good approach would be to use database to store session information.
4. When uploading file to the server, it would be good practice to rename the file(s) before storing them. Name must be safe and not guessable.
5. Don’t reveal error on live site. Errors reveal very important information, so they must be taken care of.
6. Take care of SQL injection. If user provides malicious information, your SQL query shouldn’t break.

No comments:

Post a Comment