For years, PHP has been a stable, inexpensive platform for running web-based applications. Like most web-based platforms, PHP is also vulnerable to external attacks. Developers, database architects, and system administrators should take precautions before deploying a PHP application to a server. Most of the precautions can be done with a few lines of code or a slight adjustment to the application settings.
1: Manage Installation Scripts
If a developer has installed a PHP script for a third-party application, the script is used to install the working components of the entire application and provide an access point. Most Third-party packages recommend that you delete the installation scripts that the directory contains after installation. But developers want to keep the installation scripts, and they can create a. htaccess file to control the administrative access directory.
AuthType Basic
AuthName "Administrators only"
Authuserfile/usr/local/apache/passwd/passwords
Require Valid-user
Any unauthorized user who attempts to access a protected directory will see a prompt asking for a username and password. The password must match the password in the specified "passwords" file.
2: Header file
In many cases, developers can include several scripts distributed in the application into a script. These scripts will contain an "include" directive that integrates a single file into the original page's code. When an include file contains sensitive information, including user names, passwords, and database access keys, the file's extension should be named ". php" rather than the typical ". Inc" extension. The. php extension ensures that the PHP engine will process the file and prevent any unauthorized access.
3:md5 vs. SHA
In some cases, the user will eventually create his or her own username and password, and the site administrator will typically encrypt the password for the form submission and save it in the database. Over the past few years, developers have used the MD5 (Message digest algorithm) function to encrypt a 128-bit string cipher. Today, many developers use the SHA-1 (Secure hashing algorithm) function to create a 160-bit string.
4: Automatic global variables
The settings contained in the php.ini file are called "register_globals." The P server will automatically create global variables for server variables and query strings based on the register_globals settings. When installing third party packages, such as content management software, such as Joomla and Drupal, the installation script will lead the user to set Register_globals to "off". Changing the setting to off ensures that unauthorized users cannot access the data by guessing the variable name and the authentication password.
5: Initializing variables and values
Many developers fall into the trap of instantiating variable values that may be distracted by time constraints or lack of effort. Variables in the authentication process should have a value before the user logon program starts. This simple step prevents users from bypassing the validator or accessing certain areas of the site that they do not have permission for.