Seven Habits for writing secure PHP applications

When it comes to security issues, be aware that you need to ensure that you write secure applications in addition to the actual platform and operating system security issues. When writing a PHP application, apply the following seven habits to ensure that your application has the best security:

Validating input

Protecting the file system

Securing Databases

Protecting session data

Securing Cross-site Scripting (Cross-site SCRIPTING,XSS) vulnerabilities

Check Form Post

To protect against cross site request forgery (Cross-site request FORGERIES,CSRF)

Validating input

Validating data is the most important habit you might use when mentioning security issues. And when it comes to input, it's very simple: don't trust the user. Your users may be very good, and most users may use the application exactly as expected. However, as long as you provide the opportunity to enter, it is very possible to have very bad input. As an application developer, you must prevent your application from accepting incorrect input. Careful consideration of the location and the correct value of the user input will allow you to build a robust, secure application.

Although the following article describes the file system interaction with the database, the following is a list of general validation prompts that apply to various validations:

Use a value from the whitelist

Always re-verify limited options

Using the built-in escape function

Verify the correct data type (such as numbers)

The value in the whitelist (white-listed value) is the correct value, relative to the invalid blacklist value (black-listed value). The difference between the two is that when validation is performed, the list or range of possible values is less than the list or scope of invalid values, many of which may be unknown or unexpected values.

When validating, remember that designing and validating the values that your application allows to use is usually easier than preventing all unknowns. For example, to qualify a field value to all numbers, you need to write a routine that ensures that the input is all numbers. Do not write routines that are used to search for non-numeric values and are marked as invalid when a non-numeric value is found.

Protecting the file system

In July 2000, a Web site leaked customer data that was stored in a Web server's file. One of the visitors to the Web site viewed the file that contains the data by using a URL. Although the file is misplaced, this example highlights the importance of protecting the file system against attackers.

If the PHP application handles the file in any way and contains variable data that the user can enter, carefully review the user input to ensure that the user cannot perform any improper actions on the file system. Listing 1 shows an example of a PHP site that downloads an image with the specified name.