PHP is a great language; it allows people to create large web sites and web applications in a reasonable amount of time. However, many programmers cut corners when it comes to the security of a web site. In this article, I’ll go over some of the security blunders that are commonplace with PHP programmers.

Non-Validated User Input
Some programmers assume that the user’s input can be trusted all the time. They express this by allowing the raw value of an input to be used without any type of validation or checking method

$month = $_GET['month'];
$year = $_GET['year'];

exec(“cal $month $year”, $result);
foreach ($result as $r) { print “$r <br/>”; }

You never want to just blindly use the raw input from the user. A good general rule of thumb is to anticipate that all user input will be malicious, because sometimes it will be. With this example we’re loading two GET variables and executing the cal command. How is this dangerous? Well, all someone has to do is put “; rm –rf *” as the year and all your precious files will be deleted.

The proper way to fix this is to ensure the input you receive is what you expect it to be. Javascript validation is not recommended because it can be easily ignored and worked around. So, in order to properly sanitize these inputs we need to ensure that the month is indeed a 2 digit number and that year is a 4 digit year. Here’s an example of how we would do so:

if (!preg_match(“/^[0-9]{1,2}$/”, $month)) die(“Bad month, please re-enter.”);
if (!preg_match(“/^[0-9]{4}$/”, $year)) die(“Bad year, please re-enter.”);

SQL Injection Vulnerabilities
Just like with the above example, non-validated user input can cause problems with more than just your php files. With non-validated data a user could either gain access to secure areas (even as an administrator) or worse, delete your entire database.

Let’s say we’re trying to login to an account and this is our SQL statement:

SELECT user_id FROM users WHERE name = ‘$username’ AND pass = ‘$password’;

If someone is attempting to bypass your system of checking the username and password all they’d really have to do is put this as their password:

‘ OR ‘1’=’1

Now the new query would be:

SELECT user_id FROM users where name=’admin’ AND pass=’password’ OR ‘1’=’1’;

Now the user has access to your administrative section on your website and can cause some serious harm. But fear not, there is a very simple way to ensure that this doesn’t happen to you, by escaping dangerous characters with a simple:

$username = addslashes($_POST[‘username’]);

Sessions

Session ID hijacking can be a problem with sites built in PHP. The tracking component uses a unique ID for each user’s session, but if this ID is index by Google or accidentally sent in a link to someone else, then another user could hijack that person’s session. Session ID cannot be completely prevented, but you can lock down what a person would be able to do.

One important tip I can’t recommend enough is requesting password confirmation when changing information on a web site. So if someone hijacks a session, they can’t change any vital information without first knowing the hijacked user’s password. So putting extra account validation on stuff like address changes, security questions, and password change requests is a must.

Another problem with sessions is that some people store passwords, in plain text, as a session variable. This is bad because if someone hijacks your session they can get your password. The best way to fight this is to generate a hash based on the password.

$_SESSION[‘password’] = md5(‘password’);

If($_SESSION[‘password’] == md5($password) {
echo “passwords validated”;
}

That’s all the security tips I have right now, hopefully these tips will help you when you’re developing an application.