With a steady growth in the amount of PHP applications, this has also led to an increase of malicious activity – leading us to the conclusion that writing secure PHP code is more important than ever.
So, keeping the three most vulnerable aspects of PHP in mind, here are 3 tips of writing defensive PHP code:
#1: Cross Site Scripting or XSS
With the growth of the use of AJAX, Cross Site Scripting has also experienced a proportionate growth as well with one instance of use being in creating the Comments section of a website. Since the commenter has to log in to comment, his login information is stored by means of a cookie. As the person writes the comment, there is every chance that information stored in the cookie is accessible to a remote server that is handled by a malicious user. This is why it is imperative to use filters when requesting for random information.
#2: SQL Code
Much like XSS, SQL Code is just as vulnerable to malicious users. However, in order to write SQL code, there are a couple of things that must be remembered. First of all, try as much as possible to avoid using dynamic code and secondly, if you have to use this type of code, then avoid the situation where you have direct input into the tables. Also, using the “mysql_real_escape_string” would be a good idea.
#3: Global Variables
Using the PHP feature ‘Register Globals’ can hamper the objective of maintaining programming safety. As soon as this feature is activated in the PHP configuration file, even on uninitialized variable can lead to a damaging security flaw that you can do without – and since the user might be verifiable when the file is run, almost anyone can seize administrative control. To deal with this situation, disable Register Globals, ensure that you initialize variables as well as use localized variables too within the program.