{"id":60,"date":"2016-04-18T07:46:50","date_gmt":"2016-04-18T07:46:50","guid":{"rendered":"https:\/\/datatype.co.in\/blog\/?p=60"},"modified":"2020-09-06T14:34:40","modified_gmt":"2020-09-06T14:34:40","slug":"securing-php-web-applications","status":"publish","type":"post","link":"https:\/\/datatype.co.in\/blog\/securing-php-web-applications\/","title":{"rendered":"Securing PHP Web Applications"},"content":{"rendered":"\n<figure class=\"wp-block-image\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"576\" src=\"https:\/\/datatype.co.in\/blog\/wp-content\/uploads\/2020\/09\/securing-php-web-applications-1024x576.jpg\" alt=\"Securing PHP Web Applications\" class=\"wp-image-858\" srcset=\"https:\/\/datatype.co.in\/blog\/wp-content\/uploads\/2020\/09\/securing-php-web-applications-1024x576.jpg 1024w, https:\/\/datatype.co.in\/blog\/wp-content\/uploads\/2020\/09\/securing-php-web-applications-300x169.jpg 300w, https:\/\/datatype.co.in\/blog\/wp-content\/uploads\/2020\/09\/securing-php-web-applications-768x432.jpg 768w, https:\/\/datatype.co.in\/blog\/wp-content\/uploads\/2020\/09\/securing-php-web-applications-710x399.jpg 710w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>1) <strong>Always validate data in the server side<\/strong> before processing it, even though you are validating in the client side using jQuery\/JavaScript.<\/p>\n\n\n\n<p>2) <strong>Never&nbsp; trust user inputs<\/strong>. We should always Filter or Sanitize user inputs before passing it to mysql query i.e. before storing it in database.<\/p>\n\n\n\n<p>Example: Suppose we have a login form with two input fields &#8211; username and password. We can capture the user inputs in php as given below:<\/p>\n\n\n\n<pre class=\"wp-block-code prettyprint\"><code>\/\/ Login form data\n$username = $_POST['username'];\n$password = $_POST['password'];<\/code><\/pre>\n\n\n\n<p>Here we are not filtering or sanitizing user inputs. The inputs could be anything the user wanted. Say, user has entered following data:<\/p>\n\n\n\n<pre class=\"wp-block-code prettyprint\"><code>$_POST['username'] = 'admin';\n$_POST['password'] = '' OR ''='';<\/code><\/pre>\n\n\n\n<p>Query database to check if there are any matching users<\/p>\n\n\n\n<pre class=\"wp-block-code prettyprint\"><code>$query = \"SELECT * FROM users WHERE user='{$_POST['username']}' AND password='{$_POST['password']}'\";\nmysql_query($query);\necho $query;<\/code><\/pre>\n\n\n\n<p>Output would be:<\/p>\n\n\n\n<pre class=\"wp-block-code prettyprint\"><code>SELECT * FROM users WHERE user='admin' AND password='' OR ''='';<\/code><\/pre>\n\n\n\n<p>This would allow anyone to log in without a valid password. It is called <strong>SQL Injection<\/strong> and is one of the severe security threats.<\/p>\n\n\n\n<p>To prevent this, filter\/sanitize the inputs using mysql_real_escape_string() function before sending it to mysql query.<\/p>\n\n\n\n<pre class=\"wp-block-code prettyprint\"><code>$username = mysql_real_escape_string($_POST['username']);\n$password = mysql_real_escape_string($_POST['password']);\n<\/code><\/pre>\n\n\n\n<p>This time the SQL Injection will fail.<\/p>\n\n\n\n<p> Also, User may try to hack your application by injecting malicious code (generally JavaScript) in input box with some wrong intention. If it is not prevented, the code will be stored in database. While displaying the data in html page, the script will execute and create havoc. It may redirect user to some <strong>Phishing <\/strong>site etc. This is called <strong>XSS Attack<\/strong>.<\/p>\n\n\n\n<p>3) Never trigger business logic directly using GET data. As it is visible to end user, user can manipulate the data. This is called <strong>Cross Site Forgery Request (CSFR) Attack<\/strong>.<br>Example :<\/p>\n\n\n\n<p>Consider the following URL :<\/p>\n\n\n\n<p><code>www.example.com\/delete_product.php?id=10<\/code><\/p>\n\n\n\n<p>This url will be visible in the browser and will invoke business logic to delete the product with id=10.<\/p>\n\n\n\n<p>Since the id is visible, use may alter it to other id, but system will not be aware of it and will delete the product with given id (if exists).<\/p>\n\n\n\n<p><code><br>\nwww.example.com\/delete_product.php?id=1<br>\nwww.example.com\/delete_product.php?id=2<br>\n<\/code><br>and so on.<\/p>\n\n\n\n<p>To prevent it, we can encrypt the query string data while passing to server and decrypt it before invoking business logic.<\/p>\n\n\n\n<p> 4) <strong>Protect session data<\/strong> by encripting it. In shared server, other user can easily read session data from server. <\/p>\n\n\n\n<p>5) <strong>Disable directory listing<\/strong> using .htaccess file. Putting the following the .htaccess file shall disable directory listing.<\/p>\n\n\n\n<p> <strong><code>Options -Indexes <\/code><\/strong><\/p>\n\n\n\n<p> 6) <strong>Include php files with .php extension<\/strong> only. Some developer use .inc or similar extension for includable files. Eg. db_config.inc. Now if this file is opened in the browser, the contents will be displayed right away. <\/p>\n\n\n\n<p> 7) <strong>Disable error reporting or debug mode<\/strong> in production. It can be configured in php.ini file or we can disable it at run time by using following code in php file. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>error_reporting(0);\ndisplay_errors=0; <\/code><\/pre>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>1) Always validate data in the server side before processing it, even though you are validating in the client side using jQuery\/JavaScript. 2) Never&nbsp; trust user inputs. We should always&nbsp;[ &hellip; ]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[42,41],"tags":[47,49,45,51,44,48,43,50,46],"class_list":["post-60","post","type-post","status-publish","format-standard","hentry","category-php","category-web-security","tag-csrf-attack","tag-phishing","tag-prevent-sql-injection","tag-securing-php-web-applicarion","tag-securing-web-application","tag-session-hijacking","tag-web-security","tag-web-security-threats","tag-xss-attack","list-style-post"],"_links":{"self":[{"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/posts\/60","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/comments?post=60"}],"version-history":[{"count":15,"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/posts\/60\/revisions"}],"predecessor-version":[{"id":860,"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/posts\/60\/revisions\/860"}],"wp:attachment":[{"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/media?parent=60"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/categories?post=60"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/datatype.co.in\/blog\/wp-json\/wp\/v2\/tags?post=60"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}