PHP is one of the most used web programming languages around today – if not THE most used web language. As you can tell we’re a fan 
That’s not to say ASP, Java and the like don’t have their place just that well PHP rocks (IMHO). However with the rise of it’s popularity more and more websites have been developed in an insecure way not just on the programming front but also on the server end – here we hope outline some things you should consider when building your website and choosing a web hosting company.
One thing to note about this list is that it’s meant as a checklist for you, not an introduction into programming. If you wish to get an introduction to php programming there are some great resources out there at php.net, W3School and more.
1. PHP.ini Settings – turn safe_mode = off
Your php.ini file provides loads of settings which create your php environment. It includes modules to let you connect to databases, upload images and loads more as well as providing settings to do with max upload file sizes and some security settings. One of the most important settings is safe_mode. Ensure it is set to off (if you don’t know as your hosting company of use the function phpinfo(); ) Why should you do this? Well this is a whole discussion topic in itself which we’ll be covering at a later date. For now – turn it off!
2. PHP.ini Settings – turn display_errors = off
Another setting in your php.ini file is to do with what errors are displayed. Ideally you should turn this to off unless you are in your development area i.e. have it set to display errors on your homeĀ computer but off on your live environment. If PHP needs to show you an error it means you haven’t programmed your script to cater for that type of error in the first place and as such the error message itself can allow people to potentially understand your programming and hack it.
3. PHP.ini Settings – Set Max_Upload_Size = 5MB
It’s tempting to increase your max upload size to be huge but if you have a website where you allow anyone to upload files setting this to too higher a number can cause problems, not so much from being hacked but from using up your servers connection processing massive files. Set it to no more thanĀ you actually need – usually 5-6MB will do it.
4. Databases – don’t use the root user.
Sounds straight forward but we’ve seen so many times that people use the root MySQL details to access their database. On your home computer that’s fine but on a live environment it can prove to be a disaster. For instance if you do have a vunreable part of your programming which gets hacked the most they can do is ruin that one website. If they have root access they could delete every single database on the server which would be a nightmare.
5. Databases – SQL Injection Attacks
I’m sure this isn’t the first time you have come across this type of hack however if it is in a nutshell it’s where people alter the SQL you send to your database to get it to do extra things. For instance if you take a variable over a $_GET and pass it straight to a query with no validation an sql attack could add an extra statements to alter, show table information or even delete everything. At a basic level it’s quite easy to protect yourself against it by using functions like php’s addslashes function or other MySQL specific ones. PHP.net is the best resources for this and you can find a full article on this topic here
6. Databases – Clean you’re data before doing any SQL
A golden rule of programming is to never trust anything a user gives to you – it doesn’t matter if it’s a job website or a CMS for your granny, don’t trust the data. As such if you recieve data and are about to use it to work a calculation out, run a command line tool or insert it into the database clean the data. What do we mean by this? Well a first step is to ensure it’s of the type you expect – if you expect an integer you can use the settype function to double check it is, if you are expecting an image file ensure it’s not a .exe or .pdf or anything else.
7. HTML Forms – Validate your data server side as well as client side
With all the great javascript form validation tools out there it’s far too easy to just use javascript to validate data coming from a form. However what if the person has javascript disabled or even a hacker who blocks javascript – they can then send whatever they like. So always ensure you have server side PHP validation as well.
8. Session Security
Sessions can be hijacked so if you base all your logic of password protecting a directory based on checking that $_SESSION['AM-I-ACTIVE']==1 then think again as whilst it isn’t easy to hijack a session it is possible. Check out the PHP Security Consortiums guide on protecting yourself against session hijacks
9. Third Party Scripts – Be Careful
When starting out in PHP it’s very easy to get stuck trying to achieve something, google for a script that does what you need and then make use of it. Hopefully you’ll be just fine however even the best scripts can have security flaws and if you didn’t write them it’s hard to track them down or protect them. Whilst I’d never say to not use third party script as sometimes they are great (big up to wordpress!) sometimes you can land yourself in a big heap of doo doo!
10. Backup – If all else fails ensure you have a backup
At the end of the day the only way to 100% protect yourself against a hacker is to unplug your server from the internet, put it in a fireproof safe with no power and leave it in a bank – and even then it could be broken into! As such a key to protecting yourself starts with backing up. If you do get hacked then you can restore from a backup to get yourself online whilst you try to figure out how you were hacked.
Summary
Hopefully you’ve found the above helpful. I’m sure I’ve missed many security considerations but as a checklist the above has always serverd me well. Want help with this? Come over to Swordfish Hosting and we’ll walk you through protecting yourself.
