Php Security Basics

Posted by
Leon Tong on 19 Jan, 2010



Security is highly important for any application and not just web applications. Security measures should be taken at all stages of the systems development life cycle, and a combination of different precautions is the best way to ensure protection for your web application.

Apart from attacks from hackers, users can also corrupt your application via their data input so it is important to re-create or verify the input first. Security prevents your PHP web application against attackers who may be interested in obtaining important data or have intentions to input unwanted code into your application (injection attacks). There are several types of injection attacks that can occur and that you should be aware of, some of which are as follows:

  • Command injection attacks
  • XSS (cross 

     scripting) injection attacks – an injection of HTML, CSS or script

  • XST
     (cross side tracing) injection attacks – steal data via cookies

  • Remote code injections – allows an individual to run their code on a users machine
  • Session attacks

The following are a few precautions when developing web applications:

  • Set register Globals to Off
  • Initialize all variables
  • Grant permissions to users according to the level needed
  • Filter/validate input
  • Escape output
  • Incorporate restrictions on data from users
  • Encrypt transmitted data
  • Store sensitive data using a database that can only be accessed from the web server’s IP

Tags: PHP