PHP Web Application Security

Here are some tips to help you think more about security when developing a web app. 

  1. Buy a good book on the subject, such as Securing PHP Web Applications and implement what you learn in your code.
  2. Read through Web Application Security section on of the SANS Institute 2007 top 20 security risks. There are some useful tips on securing PHP in particular. 
    • Check PHP configuration settings:
      • Turn register_globals off, use super globals such as $_GET instead (from PHP 4.2.0 this is the default).
      • Turn allow_url_fopen off (unless you really need it).
      • Disable magic_quotes.
      • Configure open_basedir for each site to restrict access from PHP scripts to certain directories.
      • Consider running PHP with FastCGi instead of mod_php
    • Use best practices when developing:
      • ALWAYS validate user input! This is probably the most important point in the entire list. There are many nasty bots and spiders going round the web trying to break into your site, and the most common way in is through your web forms. There are various validation libraries out there to make your life easier  (e.g. PEAR Validate, Zend Filter Input)- use them!
      • Avoid SQL injections. If you validate user input correctly, then this should help you avoid SQL injection vulnerabilities. To be doubly safe you could use a database abstraction layer, that if used correctly with prepare statements, will automatically escape user input data. Check out PDO and Zend DB.
      • Avoid XSS attacks. An XSS attack is where malicious users are able to inject their own code in to pages on your site that may be viewed by other users. You could strip tags from user input, and encode html entities in any plain text being output.
      • Don’t transmit passwords and other secret information over plain text, submit to a secure URL.
      • Be careful when allowing uploads. Check the file types, and only allow files you expect. Resample uploaded images in case there is any hidden code inside.
      • Use sessions instead of cookies, unless you really need the persistence of a cookie. Sessions are temporary and keep everything except the session ID hidden from the user’s machine.
      • Peer review your code. Get another developer to look through it, two heads are better than one!
  3. Download the Wapiti and Grendel Scan web application vulnerability scanning tools and run them on your sites.

This is of course an overly simple list, and it can’t protect against things like logic flaws, but at least – if you were wondering where to start then I hope it will give you some useful inspiration!