1) Always validate data in the server side before processing it, even though you are validating in the client side using jQuery/JavaScript.
2) Never trust user inputs. We should always Filter or Sanitize user inputs before passing it to mysql query i.e. before storing it in database.
Example: Suppose we have a login form with two input fields – username and password. We can capture the user inputs in php as given below:
// Login form data
$username = $_POST['username'];
$password = $_POST['password'];Here we are not filtering or sanitizing user inputs. The inputs could be anything the user wanted. Say, user has entered following data:
$_POST['username'] = 'admin';
$_POST['password'] = '' OR ''='';Query database to check if there are any matching users
$query = "SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'";
mysql_query($query);
echo $query;Output would be:
SELECT * FROM users WHERE user='admin' AND password='' OR ''='';This would allow anyone to log in without a valid password. It is called SQL Injection and is one of the severe security threats.
To prevent this, filter/sanitize the inputs using mysql_real_escape_string() function before sending it to mysql query.
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
This time the SQL Injection will fail.
Also, User may try to hack your application by injecting malicious code (generally JavaScript) in input box with some wrong intention. If it is not prevented, the code will be stored in database. While displaying the data in html page, the script will execute and create havoc. It may redirect user to some Phishing site etc. This is called XSS Attack.
3) Never trigger business logic directly using GET data. As it is visible to end user, user can manipulate the data. This is called Cross Site Forgery Request (CSFR) Attack.
Example :
Consider the following URL :
www.example.com/delete_product.php?id=10
This url will be visible in the browser and will invoke business logic to delete the product with id=10.
Since the id is visible, use may alter it to other id, but system will not be aware of it and will delete the product with given id (if exists).
www.example.com/delete_product.php?id=1
www.example.com/delete_product.php?id=2
and so on.
To prevent it, we can encrypt the query string data while passing to server and decrypt it before invoking business logic.
4) Protect session data by encripting it. In shared server, other user can easily read session data from server.
5) Disable directory listing using .htaccess file. Putting the following the .htaccess file shall disable directory listing.
Options -Indexes
6) Include php files with .php extension only. Some developer use .inc or similar extension for includable files. Eg. db_config.inc. Now if this file is opened in the browser, the contents will be displayed right away.
7) Disable error reporting or debug mode in production. It can be configured in php.ini file or we can disable it at run time by using following code in php file.
error_reporting(0);
display_errors=0;