I hope everyone reading learns a thing or two. Please participate in the Poll in this Thread, to tell me if this tutorial helped you or not. 
1 - ALWAYS, and I mean ALWAYS use $_GET and $_POST variables
I've been programming PHP ever since the start of last year. I've learned a lot from then, and the thing that I would like to stress the most is to ALWAYS use $_POST and $_GET variables when you are using some kind of a form, or if you're grabbing information from the trail end of the URL. I hate to admit it, but before I learned about $_POST and $_GET, I used to program very "unsecurely" by not using $_POST and $_GET. In order for $_POST and $_GET to work in a form, you need to set the method= attribute to GET or POST, depending on what you're going to use later on to process the code. You can only use $_GET if you want to collect information from the trail end of a URL. For instance, the URL on the page I'm making this post on, there are two variables that are more than likely using $_GET. "mode" and "p". I can't go on forever explaining how to use $_POST and $_GET, but I do recommend you to read a PHP book or check-out the wonderful documentation available for free at PHP.net. If you use variables without $_POST or $_GET around them (again, when you're collecting information from a form or from the trail end of a URL), you're waiting for disaster to happen. I used to own a gaming site, a very popular one. I soon found out that hackers were using home-made programs in order to "cheat" my web game because I wasn't using $_POST or $_GET. For instance, if you made your own forum without using $_POST or $_GET, hackers can take a few minutes to make a program to flood your forum in a matter of a few seconds. What's even worse is that it's easy enough to do it in PHP. I won't post the code here as I think people might use it to their advantage. Avoid this and your website should be fine. I just remembered, I wrote a tiny code awhile back that prevents most home-made programs from attacking your website. Place this near the top of your layout file and you should be pretty secure. Good luck with it.
2 - ALWAYS, and I mean ALWAYS error check EVERYTHING
I recommend you to read my PHP "How To" if you haven't done so already. A few of the things I cover in there are related to error checking. I do recommend you to use error checking codes on MySQL connections/queries, any form processing code (such as if everything that you require was filled in, if a digit box is only digits, etc), and including if you are including files into your scripts. I do recommend you to use user-friendly error codes, because a visitor might run into one and may be a little confused if they see "Error 23". Instead, you could probably use "Error 23 - You forgot to enter your password". The #23 might be used for the programmer to see what could be wrong if they test their code before public use.
3 - Securing your if-then statements
This one is overseen by most people, but I sometimes like to secure my if-then statements even more. For instance, let's say that your site has a "Free Account" level and an "Advanced Account" level. Let's say that you're restricting Free Accounts from accessing the Advanced Account benefits. You set up an if-then statement that is simply put "If the user account is a free account, stop them from accessing this page, display this message, and stop the page load". This could look something like :
You could secure this even more by doing this instead :
Only a few key taps, and you've secured your if-then statement even better. This is good because you know that it's secure and they're not going to access what don't want them to.
4 - Restricting access to hidden folders
This I've seen a few times on some sites. They (like most sites) have images stored away in a separate directory. But, what they don't know is that the directory can be easily accessed where you can see what's inside it by a default Index page from Apache (on an Apache server of course, and no user-made Index file is made, too). If this isn't turned off by default, you can create a file named ".htaccess" (no quotes, and including the . before htaccess) and have this inside it :
This will show a page that denies access to the directory. If (for some reason) you want to see what's in the directory through that default Index file, you would pretty much do the opposite in the .htaccess file :
5 - Securing your secure admin area
One of the things that people forget to do on their website is blocking out the riff-raff from accessing their precious admin areas. Choose difficult passwords (most of mine are all random letters and numbers) that are hard for password cracker programs to choose from a list. I have seen many programs that try to hack through FTP accounts. They have huge dictionaries of passwords that worked on other sites that get hacked. By me looking in a few of them, they don't bother to try random passwords like "3qrfdsgsdf44w", as that would take forever to do. This should go for caution for sites with a cPanel control panel, a hacker could easily get the UserName for the cPanel account by looking around the site for any errors with PHP programming. For example :
As you can see above, "somesite" is the username on the cPanel account. Try to eliminate all test files and errors on your website so that no one can try to hack into your files and databases.
6 - Preventing JavaScript Hijacking
This is one of the most ingenious ways of hacking on websites that I've ever had to encounter. About a year and a half ago, I found out that one of the players on my gaming site was stealing the cookie information that I was using to keep users logged into their accounts. I could not understand how this one user made it possible, but I had researched the situation and found out exactly how he did it and how it worked. Basically, the user put a JavaScript snipplet on his user profile (I had accepted HTML and JavaScript in user profiles on my gaming site), which was grabbing the user's cookie information on the gaming site, the JavaScript code redirected the user to an external website (to a PHP page), and from the PHP page, the data that was collected from the JavaScript cookie code was either eMailed to the hacker or inserted into a MySQL DataBase, I'm not sure which, but it could have been either of them. With the cookie data that he literally stole from someone else's computer (with someone else's username and password in the cookie), he changed HIS cookie information to the one that was eMailed to him, and went to my gaming site. BOOM ! He was in. The only ethical way of stopping this from happening (while accepting HTML and JavaScript) I had blocked out the cookie name that I was using on my site, so that it could not be collected through that JavaScript code. Yes, it may sound very shallow, but it was one of my biggest concerns at one point in time.
7 - Preventing SQL/URL Injection
This will only occur when you do not use $_GET or $_POST variables when you are collecting data from a form or at the end of a page URL. I highly stress using $_GET and $_POST variables, as described in the first tip. SQL injection is where additional data is added at the end of a form field box, and updates other information in the database, perhaps some data that was not supposed to be edited. URL injection is the same and can work different too. Sometimes, you can enter in bits of data at the end of the URL to change some of the programming around, muffing up your programming and allowing hackers to really mess up your database info.
8 - Never Use Sessions !
When I was first developing my popular gaming site a few years ago, I started to use sessions to log users into their accounts, instead of cookies. I found out very quickly that sessions are not what they're meant to be. Apparently, it was swapping user data from one computer to another, and not directing the session data to the correct computer it was meant to go to. For instance, the user "admin" could be swapped with someone else like "blacktopbandit", which can cause a serious problem. I recommend to use cookies HIGHLY over sessions, due to that concern.
9 - Securing Your Cookies
As mentioned in the tip above, I recommend that you use cookies instead of sessions. There can be a variety of concerns with cookies too, but you can secure them by encrypting the data that's inside them. I recommend using the md5() and base64_encode() encrypting methods for cookies (better if both are used). When I did my gaming site, I left the username unencrypted, and let the password be encrypted with the above methods. One thing that most people forget to take into consideration is by checking the cookie data on EVERY page load, to see if it is legit. Check the username, the password (using the encrypting methods as well), and other data that you might have in the cookie as well.
10 - Use Image Verification On Registration Forms
When I had owned my gaming site awhile ago, I found out that bots were crawling my site and registering fake accounts, clogging up the database. To prevent this, I recommend using Image Verification, if your server supports it. In order to use PHP images, you need something called the "GD Library" enabled. If it is not enabled (you can check by running the phpinfo() command on a test page), then ask your web host if they can enable it for you. This eliminated all the bots that were registering fake accounts.
11 - Ask For Help If You Need It !
There are many forums that you can go to, such as :
- SitePoint Forums (http://www.sitepointforums.com/)
- ProgrammingTalk (http://www.programmingtalk.com/)
Basically, post your concerns with your website security, and post some samples of your code if you feel that it is necessary. More than likely, there will be someone that will be more than willing to help you out and get your site in better shape.
12 - Read Security Tutorials
There are many good tutorials on the web that you can check-out if you are unsure that your PHP website is secure. This thread only covers a few topics and concerns, though there may be other things to be considered as well. Surf Google for awhile and I'm sure you'll come up with quite a few.
Hope I've helped.
-Selim
1 - ALWAYS, and I mean ALWAYS use $_GET and $_POST variables
I've been programming PHP ever since the start of last year. I've learned a lot from then, and the thing that I would like to stress the most is to ALWAYS use $_POST and $_GET variables when you are using some kind of a form, or if you're grabbing information from the trail end of the URL. I hate to admit it, but before I learned about $_POST and $_GET, I used to program very "unsecurely" by not using $_POST and $_GET. In order for $_POST and $_GET to work in a form, you need to set the method= attribute to GET or POST, depending on what you're going to use later on to process the code. You can only use $_GET if you want to collect information from the trail end of a URL. For instance, the URL on the page I'm making this post on, there are two variables that are more than likely using $_GET. "mode" and "p". I can't go on forever explaining how to use $_POST and $_GET, but I do recommend you to read a PHP book or check-out the wonderful documentation available for free at PHP.net. If you use variables without $_POST or $_GET around them (again, when you're collecting information from a form or from the trail end of a URL), you're waiting for disaster to happen. I used to own a gaming site, a very popular one. I soon found out that hackers were using home-made programs in order to "cheat" my web game because I wasn't using $_POST or $_GET. For instance, if you made your own forum without using $_POST or $_GET, hackers can take a few minutes to make a program to flood your forum in a matter of a few seconds. What's even worse is that it's easy enough to do it in PHP. I won't post the code here as I think people might use it to their advantage. Avoid this and your website should be fine. I just remembered, I wrote a tiny code awhile back that prevents most home-made programs from attacking your website. Place this near the top of your layout file and you should be pretty secure. Good luck with it.
Code:
if((getenv("HTTP_USER_AGENT") == "Microsoft URL Control - 6.00.8862") || (getenv("HTTP_USER_AGENT") == "Microsoft URL Control - 6.00.8169")){
exit;
}2 - ALWAYS, and I mean ALWAYS error check EVERYTHING
I recommend you to read my PHP "How To" if you haven't done so already. A few of the things I cover in there are related to error checking. I do recommend you to use error checking codes on MySQL connections/queries, any form processing code (such as if everything that you require was filled in, if a digit box is only digits, etc), and including if you are including files into your scripts. I do recommend you to use user-friendly error codes, because a visitor might run into one and may be a little confused if they see "Error 23". Instead, you could probably use "Error 23 - You forgot to enter your password". The #23 might be used for the programmer to see what could be wrong if they test their code before public use.
3 - Securing your if-then statements
This one is overseen by most people, but I sometimes like to secure my if-then statements even more. For instance, let's say that your site has a "Free Account" level and an "Advanced Account" level. Let's say that you're restricting Free Accounts from accessing the Advanced Account benefits. You set up an if-then statement that is simply put "If the user account is a free account, stop them from accessing this page, display this message, and stop the page load". This could look something like :
Code:
<?php
$level = "Free Account";
if($level == "Free Account"){
exit("Your account is not an Advanced Account, so therefore you cannot access this page.");
}
// Actual content for Advanced Accounts shows up here //
?>
Code:
<?php
$level = "Free Account";
if($level == "Free Account"){
exit("Your account is not an Advanced Account, so therefore you cannot access this page.");
}else{
// Actual content for Advanced Accounts shows up here //
}
?>4 - Restricting access to hidden folders
This I've seen a few times on some sites. They (like most sites) have images stored away in a separate directory. But, what they don't know is that the directory can be easily accessed where you can see what's inside it by a default Index page from Apache (on an Apache server of course, and no user-made Index file is made, too). If this isn't turned off by default, you can create a file named ".htaccess" (no quotes, and including the . before htaccess) and have this inside it :
Code:
Options -Indexes
Code:
Options +Indexes5 - Securing your secure admin area
One of the things that people forget to do on their website is blocking out the riff-raff from accessing their precious admin areas. Choose difficult passwords (most of mine are all random letters and numbers) that are hard for password cracker programs to choose from a list. I have seen many programs that try to hack through FTP accounts. They have huge dictionaries of passwords that worked on other sites that get hacked. By me looking in a few of them, they don't bother to try random passwords like "3qrfdsgsdf44w", as that would take forever to do. This should go for caution for sites with a cPanel control panel, a hacker could easily get the UserName for the cPanel account by looking around the site for any errors with PHP programming. For example :
Code:
Parse error: parse error, unexpected T_IF, expecting ',' or ';' in /home/somesite/public_html/test.php on line 66 - Preventing JavaScript Hijacking
This is one of the most ingenious ways of hacking on websites that I've ever had to encounter. About a year and a half ago, I found out that one of the players on my gaming site was stealing the cookie information that I was using to keep users logged into their accounts. I could not understand how this one user made it possible, but I had researched the situation and found out exactly how he did it and how it worked. Basically, the user put a JavaScript snipplet on his user profile (I had accepted HTML and JavaScript in user profiles on my gaming site), which was grabbing the user's cookie information on the gaming site, the JavaScript code redirected the user to an external website (to a PHP page), and from the PHP page, the data that was collected from the JavaScript cookie code was either eMailed to the hacker or inserted into a MySQL DataBase, I'm not sure which, but it could have been either of them. With the cookie data that he literally stole from someone else's computer (with someone else's username and password in the cookie), he changed HIS cookie information to the one that was eMailed to him, and went to my gaming site. BOOM ! He was in. The only ethical way of stopping this from happening (while accepting HTML and JavaScript) I had blocked out the cookie name that I was using on my site, so that it could not be collected through that JavaScript code. Yes, it may sound very shallow, but it was one of my biggest concerns at one point in time.
7 - Preventing SQL/URL Injection
This will only occur when you do not use $_GET or $_POST variables when you are collecting data from a form or at the end of a page URL. I highly stress using $_GET and $_POST variables, as described in the first tip. SQL injection is where additional data is added at the end of a form field box, and updates other information in the database, perhaps some data that was not supposed to be edited. URL injection is the same and can work different too. Sometimes, you can enter in bits of data at the end of the URL to change some of the programming around, muffing up your programming and allowing hackers to really mess up your database info.
8 - Never Use Sessions !
When I was first developing my popular gaming site a few years ago, I started to use sessions to log users into their accounts, instead of cookies. I found out very quickly that sessions are not what they're meant to be. Apparently, it was swapping user data from one computer to another, and not directing the session data to the correct computer it was meant to go to. For instance, the user "admin" could be swapped with someone else like "blacktopbandit", which can cause a serious problem. I recommend to use cookies HIGHLY over sessions, due to that concern.
9 - Securing Your Cookies
As mentioned in the tip above, I recommend that you use cookies instead of sessions. There can be a variety of concerns with cookies too, but you can secure them by encrypting the data that's inside them. I recommend using the md5() and base64_encode() encrypting methods for cookies (better if both are used). When I did my gaming site, I left the username unencrypted, and let the password be encrypted with the above methods. One thing that most people forget to take into consideration is by checking the cookie data on EVERY page load, to see if it is legit. Check the username, the password (using the encrypting methods as well), and other data that you might have in the cookie as well.
10 - Use Image Verification On Registration Forms
When I had owned my gaming site awhile ago, I found out that bots were crawling my site and registering fake accounts, clogging up the database. To prevent this, I recommend using Image Verification, if your server supports it. In order to use PHP images, you need something called the "GD Library" enabled. If it is not enabled (you can check by running the phpinfo() command on a test page), then ask your web host if they can enable it for you. This eliminated all the bots that were registering fake accounts.
11 - Ask For Help If You Need It !
There are many forums that you can go to, such as :
- SitePoint Forums (http://www.sitepointforums.com/)
- ProgrammingTalk (http://www.programmingtalk.com/)
Basically, post your concerns with your website security, and post some samples of your code if you feel that it is necessary. More than likely, there will be someone that will be more than willing to help you out and get your site in better shape.
12 - Read Security Tutorials
There are many good tutorials on the web that you can check-out if you are unsure that your PHP website is secure. This thread only covers a few topics and concerns, though there may be other things to be considered as well. Surf Google for awhile and I'm sure you'll come up with quite a few.
Hope I've helped.
-Selim
