When people consider the primary strengths of PHP in internet-enabled applications, the first item on the list is usually how easy and flexible PHP is, by default. While this is very true, PHP, if used improperly, can open up numerous security issues that should always be considered during the design phase of any development efforts. This paper focuses on these potential pitfalls and addresses several ways to “harden” your codebase to be as secure as possible.1. ALWAYS CONSIDER (AND ASSUME) THE WORST ABOUT YOUR DATA
When you think of creating a Web application (or any application, for that matter), you should always think, in the most paranoid manner possible, of how people will want to interact with it. Every time something needs to be sent to your application, such as URL’s, form data, javascript data, etc., you should always consider the data within each type of variable to be a potential attack on your application. This type of mentality can save you countless hours of headache from the very beginning, if properly used. Even what could be considered “protected” objects, such as cookies, should always be considered something that could potentially be used to circumvent your security measures and potentially enable the attacker to gain access to restricted information, or even take ownership of your application’s functionality to serve their own purposes. That being said, always assume the worst possible outcome when you’re designing your security measures; doing so can help keep your application clean from hacking attempts.
2. ONLY ALLOW USE OF AN EXACT AMOUNT AND TYPE OF INFORMATION FOR INPUT
When you want to receive input from a user, the very first thing you should do with that data is scrub it for invalid information, data length, and type constraints. With PHP, this is slightly trickier than strictly typed languages, such as C/C++, Java, and the .NET languages. In light of this fact, however, there is an excellent way to ensure that your data is exactly how you expect it to be: use regular expressions (regex) to handle any data validation. Some people believe that using regex on all data that comes to the application slows the site down, but when that’s said, I simply reply with this simple analogy: it’s better to have a slightly slower and secure site than to have a faster site that dies often due to successful hacking attempts. So in short, if you don’t know how to use regular expressions to validate your input (and that means all of it, such as $_GET[], $_POST[], $_COOKIE[], or any of the other server variables information that can be altered by a user), the first thing I would recommend you do is to learn how to use them, and then begin setting up your security procedures around regex to keep your data completely clean.
3. WHEN USING OBJECT-ORIENTED PROGRAMMING, KEEP YOUR CODING STANDARDS AS TIGHT AS POSSIBLE
A lot of developers these days write OO code in such obscure ways that at the end of the day they can’t effectively support it without having to re-learn it each time they cover a different component. This type of coding can turn from a good idea quickly into not only a security nightmare, but a support barrage as well. For instance, say we develop a class called Person() and another class called Tool(). If the Person() object was written using accessors and mutators and the Tool() object was written with nothing but straight object properties, it’s quite likely that the people on your development team will not know how exactly to get to your variables (unless of course you document it at design time in your UML diagram, which is far more unrealistic than just adding accessors and mutators to the class). PHP 5+ was designed to be used like this exclusively, now that more granular property scope exists, e.g., “public/private $Name;” vs. “var $Name;”.
4. ALWAYS KEEP EXCEPTION INFORMATION FROM THE HACKER
On production systems, you should always be aware of what information you are allowing your user base to view. In the event of an error, you should never show that information to the user, as it is debugging output that should only be available to you and your development team. Instead, (especially with PHP5+, as it introduces try/catch statements) handle your exceptions and direct the user to the appropriate page indicating that an error was encountered. This goes hand in hand with data validation, as you should always handle your exceptions appropriately; this is one of the toughest coding practices to teach PHP programmers, as they are mostly used to developing with PHP3/4 design methods. However, in the event that you do have an unhandled exception, you certainly don’t want to send the debug output to the user, so always set display_errors = Off and display_startup_errors = Off in your php.ini file before you even put your code on that server. This will keep debug information private, and keep your site from being compromised due to excess information being sent to the hacker.
5. DON’T BE A LAZY CODER WHEN IT COMES TO SECURITY
A lot of PHP developers these days are also relying on quick and easy fixes to code that relies on PHP settings, such as register_globals and magic_quotes – these settings often confuse developers into thinking that the data they are working with is valid and clean, while in fact it can be potentially far from it! Always consider the data you are working with to be 100% tainted, and validate it each time it comes from a source that you do not directly control. Doing so can keep your data safe and your site clean from attacks. Also be aware that a lot of Web hosting companies today activate these settings to bring convenience to their patrons. Never trust the settings that are set up by the sysadmins in this case; always consider those settings to be in their worst state, and use functions like iniset() to define your own environment.
SUMMARY
As much fun and easy as PHP is to develop with, it certainly isn’t without its own set of pitfalls. Using the standards outlined above can keep your site as protected as possible within the limits of the language and the Web service platform it runs on. If you consider these points as golden as your site’s business opportunities, you will be one step closer to ensuring that success, without question.
