Best practices for PHP Security

By balaji

April 14, 2009

PHP is a server side scripting language used for building dynamic web pages to provide customized information to the users. PHP is known for its simplicity in its programming syntax and security is often overlooked by novice programmers. PHP is as secure as any other programming language and offer many levels of security. Which of the following are the best practices for securing PHP applications?

  1. Disable allow_url_fopen
  2. Turn off global variables
  3. Enable display_errors
  4. Hide the files

The correct answers are a, b, & d

  1. Disable allow_url_fopen
    The allow_url_fopen setting is a PHP feature which will allow a user to open, include or retrieve a file from a remote location using URL rather than a local path. If a PHP application lacks input filtering while processing user-provided data, then an attacker can exploit this weakness to inject malicious code into these functions. It is recommended to disable allow_url_fopen function and utilize cURL functions provided by PHP for remote file access. The allow_url_fopen setting is enabled by default and you can disable this feature by setting the allow_url_fopen to off in your server's php.ini file.
  2. Turn off global variables
    Using registered global variables is always a convenience for novice programmers, but this can lead to greater security vulnerability if it's left enabled. Any form parameters sent via a GET or POST request is automatically assigned to global variables and an attacker can manipulate or override these variables.

    This feature is disabled by default from PHP 4.2 onwards and it's been deprecated as of PHP 5.3.0 and completely removed as of PHP 6.0.0

  3. Enable display_errors
    It is not recommended to enable display_errors on production applications because all the PHP error messages will be displayed to the users and possible attackers. This setting is disabled by default and the default behavior of the PHP engine is to display out the full physical path of the script that is having error in the error message output.
  4. Hide your files
    Most of the PHP application code is completely transparent, especially if the application is available for the users to purchase or download. Unless the PHP application code is encoded using encoders such as Zend, eAccelerator and so on anyone can review the source code of a PHP application to search for vulnerabilities to exploit.

    PHP code can be obscured via an encoder module, but most of the encoders that are available for PHP aren't cross-compatible and must be used selectively.

    Here're a few best practices for naming files

    1. Avoid files names such as config.php or admin.php and this also applies to sensitive directory names as well.
    2. Use unique names such "_nimda__" ("admin" spelled backwards) with a few underscores thrown in for uniqueness, word separations (e.g. _member_signup.php) and camel caps (e.g. MemberSignup.php) can also be used with some added variety.
    3. You can also use completely random names, but the drawback of using completely random name is that the user of the application must remember the randomized name, which given a large installed base may be quite troublesome.
    4. Sensitive directories and configuration files names can also use "period" at the start of the name, such odd files and directories are likely to be ignored by web-based scanners. The drawback of using "period" is that FTP clients refuse to download "dot" files.


Tags: Quiz