1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

what are the best php security practices

Discussion in 'Security' started by Aditya Bajaj, May 30, 2017.

  1. #1
    What steps would you take to increase php security.
     
    Aditya Bajaj, May 30, 2017 IP
  2. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #2
    The question is... non-sensical. PHP in itself isn't insecure. What you do with it, however, CAN be insecure.

    If you're asking how to make sure that web-solutions running on PHP is as secure as possible (a completely different matter), that's a complicated question.
    1. If you're using a database, use modern techniques. Don't use mysql_ functions, use either mysqli_ or PDO as a db-handler, and use prepared statements to avoid most problems with sql-injections and other problems.
    2. Make sure you use the latest version of PHP. Plenty of hosts use PHP 5.x-something - which is outdated by years. Use PHP 7.x-something at least, preferably PHP 7.1.x.
    3. Make sure you check for errors, sanitize user input and make sure that XSS-attacks and other "standard" attacks aren't able to do anything.
    4. Make sure you disable any functionality you don't need. Don't need to be able to call exec() or similar functionality? Disable it in php.ini.
    5. Set up Apache to handle the heavy lifting - modify the hosting protocols to allow for centralized redirecting, and push anything that isn't a proper link, for instance, to the main index-file - that way you won't have ridiculous problems when people try to sniff out your files, or make your site crap all over itself using URL-overload.
    6. Make sure you set up any background-files (files that only handles input/output, but doesn't show anything directly to the user) so they're not directly reachable - either by redirecting the user to index.php, or showing a "no access" error, or something like that, unless the request for the file is properly formatted and from within the same domain, and other criteria.
    7. Whitelist the files that should be allowed on the site
    8. Use anonymous functions to disallow direct access to certain files - for instance user-uploaded files - there is no reason you should provide the exact URL to where they are stored and such - you can easily do this by using an Apache module called mod_xsendfile - not a direct security measure, but it takes a bit of load off PHP and leaves it with Apache, and it prevents a bit of snooping from malicious users
    There are plenty of other things one can do, of course, as well.
     
    PoPSiCLe, May 31, 2017 IP
  3. Aditya Bajaj

    Aditya Bajaj Greenhorn

    Messages:
    7
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    23
    #3
    Thanks for this it helps me get on the right line I will definately go through each point in great details
    we are using mysqli_ and have private VPS running version 6 something.
    We lock down all cross site scripting and add ssl on all sites as standard.

    I will definaly look into mod_xsendfile and focus more on locking sites down.

    this sounds great
     
    Aditya Bajaj, Jun 1, 2017 IP
  4. Blank ™

    Blank ™ Well-Known Member

    Messages:
    223
    Likes Received:
    18
    Best Answers:
    6
    Trophy Points:
    110
    #4
    Switch to the latest version and PDO as soon as possible.
     
    Blank ™, Jun 1, 2017 IP
  5. robert4u

    robert4u Greenhorn

    Messages:
    46
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    8
    #5
    Always use the latest php version, new versions have patches of known bugs. Likewise php also ensure that the software you are using is secure and it is updated.
     
    robert4u, Jun 1, 2017 IP
  6. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #6
    While the recommendation to use the latest version is usually a good one, why should he shift to PDO if he's using mysqli_? They're both fully capable, as long as one uses them the right way. Really, apart from some syntactic differences, and some not-so-often-used functions, there isn't really that much of a difference - as long as you're only connecting to MySQL-databases - PDOs real value is that it can connect to pretty much any type of database.
     
    PoPSiCLe, Jun 1, 2017 IP
  7. Blank ™

    Blank ™ Well-Known Member

    Messages:
    223
    Likes Received:
    18
    Best Answers:
    6
    Trophy Points:
    110
    #7
    1. MySQLi is an old technology;
    2. PDO is way faster.
    Should be enough I guess?
     
    Blank ™, Jun 1, 2017 IP
  8. Aditya Bajaj

    Aditya Bajaj Greenhorn

    Messages:
    7
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    23
    #8
    W
    Will definitely look into PDO - i had updated to php version 7 but that was crashing with facebooks api at the time i had updated it. Will look into doing a new update I guess.

    Thank you guys for your inputs - this has been a great thread.
     
    Aditya Bajaj, Jun 2, 2017 IP
  9. harish saini

    harish saini Member

    Messages:
    1
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    31
    #9
    The best practices method of accessing data stored in a mysql database via PHP.
    <?php
    $dbh = new mysqli($SERVER, $USERNAME, $PASSWORD, $DATABASE)
    or die("Failed to connect to server or database.");
    $netid = $_POST['netid'];
    if ($stmt = mysqli->prepare($dbh, "SELECT * FROM `students` WHERE netid=?")) {
    $stmt->bind_param("s", $netid);
    $stmt->execute();
    $stmt->bind_result($results);
    $stmt->fetch();
    $stmt->close();
    }
    // $results now contains the results of the sql query.
    ?>


    http://www.fascinatewebsolution.com/
     
    harish saini, Jun 2, 2017 IP
  10. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #10
    Uhm... yes, mysqli_ is older than PDO, that doesn't mean it's inferior just because it's older - it still supports most of what PDO supports - the main difference is the type of database, and named parameters (which PDO supports, and mysqli_ don't).
    PDO is way faster? Do you have any sources backing that up? What I can find says that mysqli_ is usually faster, by about 5-10%, but this can incease if you use procedural methods - if you have anything showing the opposite, feel free to include some links. I would be interested in seeing it. I personally use PDO, because I prefer it's syntax and handling of named parameters.
     
    PoPSiCLe, Jun 2, 2017 IP
  11. Aditya Bajaj

    Aditya Bajaj Greenhorn

    Messages:
    7
    Likes Received:
    2
    Best Answers:
    0
    Trophy Points:
    23
    #11
     
    Aditya Bajaj, Jun 3, 2017 IP
  12. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #12
    No, "netid" is just some value from the form, being used to fetch a student from the database - =? means you're fetching from the database using a prepared statement with unnamed properties. As you can see, the next line, after the query, is $stmt->bind_param("s",$netid); - this binds the $netid-variable to the ? in the query, as a string "s".
     
    PoPSiCLe, Jun 3, 2017 IP