What is PHP ?
The full meaning of PHP is PHP Hypertext Preprocessor. It is a Server side scripting language used for web development. Means it processes the client request in the server and returns response. It is free to download and use. There are many server side languages like ASP.NET, JSP, Python etc.
History
The PHP we know was developed in 1994 by Rasmus Lerdorf. He built this language to keep the trace of visitors came in his site. He named it Personal Home Page Tool which in short is PHP Tool. Afterwards Ramos enriched this programming language and in 1995 He made it Open Source. This brought vast fame and enrichment to PHP. Till the date of writing this article, the latest version of PHP is 7 whereas PHP 8 is in testing phase.
How does it work
In general PHP resides with HTML, CSS, JavaScript etc. The files containing PHP codes are given the extension ".php" for example "index.php", "abc.php" etc. PHP codes are written in between "<?php" and "?>". All the codes inside that are processed by PHP Interpreter and returned a result to the client.
Let's see an image of how PHP works:
Popularity
PHP is a popular web development language. Even worlds biggest social networking site Facebook uses PHP. Sites/Tools like Wordpress, Blogging etc. are based on PHP. It can be installed on any type of server available. It also gained fame because of being Free, Open Source and Easy to Learn. Many renowned Framework, CMS: Content Management System & E-Commerce sites are developed in PHP. Among them Codeigniter, CakePhp, Wordpress etc. are worth mentioning.
Security
Security is a buzz word now a days. The security in PHP depends on some factors. As PHP is open source, so the bugs are addressed and resolve frequently but majority of the security depends on server configuration. Most of the security issues are found in server configuration. The security also depends on how the website was developed. Like, a lot of websites has user login facility where users can login and do different things. Defining user roles will limit user activities (What they can do and can not do).
Good Practices
Few good practices can ensure the security of a PHP site. Right configuration can maintain a good security layer. Let's see some good practices that may help you securing your PHP site.
Note that examples are more suited for Linux, Redhat etc. And every-time after changing configuration httpd, Nginx etc. will be needed to restart for enforcing changes.
Always use the latest Stable Version of PHP. Older versions can have bugs or exploits. To see the version of PHP we can write the command in cmd "php -v".
It is very important to determine the Document Root of a site. This is the location where source code of all the web sites are kept. Generally in Linux, Redhat etc. Operating system default document root is "/var/www/html". Other than web site source code nothing else should be kept in this location. This configuration can be found in "httpd.conf" file.
Websites are vulnerable to different types of attacks. Few of them mentioned below:
3.1 XSS: Cross Site Scripting is an attack in which attacker inserts script inside information requested from a user. Like while entering the full name of a user, attacker can embed JS: Java Script inside. As a result when the full name of that user gets printed then the script get executed in the client/user side because JS is client side language. Using this attacker can divert user towards a malicious site, can try to theft data etc. To get rid of this kind of attack, any data getting from users are needed to be verified and filtered properly. Like a input field destined to take number should be validated on both client side and server side that the input given by user is a number.
3.2 SQL Injection is a well known threat to websites. Due to this attack the information stored in Database can be hampered. It is also like XSS but in this case SQL Query is embedded. Think about a site where users search for people by typing phone number like below:
When users types phone number and clicks search button then in the server below query is executed.
SELECT name,phone FROM people WHERE phone=01****;
But in order to inject SQL we can enter "01**** OR 1=1". As a result the SQL Query will look like below:
SELECT name,phone FROM people WHERE phone=01**** OR 1=1;
Which will in return reveal all the user and their phone numbers. It is a security threat. Moreover SQL Injection can be used to destroy database, remove information, reveal database structure etc.
3.3 Allowing users to upload file can also be a medium of attack. If attacker gets to upload any type of file then the attacker may upload malicious file. To get rid of this kind of attack site owners can disable file upload from PHP configuration. OR during file upload user should only be allowed to upload defined types of files (pdf, jpeg, png etc.) and within defined size (5mb, 3mb etc.)
3.4 If Remote Execution is enabled then attacker will be able to run PHP Script in the server from a remote location. eval() can be used to hide PHP codes inside server. These two can be prevented by changing PHP Configuration.
4. PHP has many different Module to accomplish different tasks Like to work with MYSQL php has "mysqli" Module. To see all these modules just type "php -m" in servers cmd. As a result a list of all modules will be printed. The unnecessary modules can be removed from this list. It will increase the efficiency and security of PHP. Module enable/disable can be found in php.ini file.
[PHP Modules]
apc
bcmath
bz2
calendar
Core
ctype
curl
date
dom
........
5. PHP send its version information in HTTP header. It can be disabled from PHP configuration. To do that in php.ini below lines should be mentioned.
expose_php=Off
ServerSignature Off
ServerTokens Prod
6. It is important not to show error details to users. Because in error details there it is mentioned in which line of which file the error occurred as well as the stack trace is printed. This info is of no use to users also can be security risk. It can be disabled from PHP configuration. To do that in php.ini below lines should be mentioned.
display_errors=Off
7. Another important configuration in PHP is determining HTTP Post size. Bigger requests requires more time for server to process. Attacker can take advantage and send bigger requests to keep system resources busy. It can be mentioned in PHP configuration. To do that in php.ini below lines should be mentioned.
post_max_size=1K
Instead of "1K" server administrator can write the desired size.
8. There are many files related activities takes place in server like reading/writing a file etc. But if reading/writing in any file is permitted then it will be a security threat. Because all files in a server is not for the website. There are OS files, Nginx/Httpd, MYSQL etc. So a specific directory for websites should be selected where no other files will be kept. The configuration is given below.
9. Most of us are aware about PHP Session. Session saves some temporary information of user into server. PHP keeps this session data in file. The location where PHP will keep this session can be mentioned in PHP configuration. Keeping these session files in a public location can pose security threat. It can be mentioned in PHP configuration. To do that in php.ini below lines should be mentioned.
10. It is important to define the Directory Permission of Document Root in PHP configuration. Most of the case the user running PHP is apache or www-data. So the Owner and Group of the document root should be those users.
11. OS like Linux has its own security features Like SELinux. It provides safety against faulty configuration and malicious software.
12. OS like Linux has its own Firewall which can monitor server traffic.
13. Another way of ensuring security is SSL certificate. It creates a Secure Channel between user and server. It stops Man in the Middle Attack.
14. Always keep OS and other software updated.
Top comments (0)