The full meaning of PHP is PHP Hypertext Preprocessor. It is a Server side scripting language used for web development. Means it processes the client request in the server and returns response. It is free to download and use. There are many server side languages like ASP.NET, JSP, Python etc.
The PHP we know was developed in 1994 by Rasmus Lerdorf. He built this language to keep the trace of visitors came in his site. He named it Personal Home Page Tool which in short is PHP Tool. Afterwards Ramos enriched this programming language and in 1995 He made it Open Source. This brought vast fame and enrichment to PHP. Till the date of writing this article, the latest version of PHP is 7 whereas PHP 8 is in testing phase.
PHP is a popular web development language. Even worlds biggest social networking site Facebook uses PHP. Sites/Tools like Wordpress, Blogging etc. are based on PHP. It can be installed on any type of server available. It also gained fame because of being Free, Open Source and Easy to Learn. Many renowned Framework, CMS: Content Management System & E-Commerce sites are developed in PHP. Among them Codeigniter, CakePhp, Wordpress etc. are worth mentioning.
Security is a buzz word now a days. The security in PHP depends on some factors. As PHP is open source, so the bugs are addressed and resolve frequently but majority of the security depends on server configuration. Most of the security issues are found in server configuration. The security also depends on how the website was developed. Like, a lot of websites has user login facility where users can login and do different things. Defining user roles will limit user activities (What they can do and can not do).
Few good practices can ensure the security of a PHP site. Right configuration can maintain a good security layer. Let's see some good practices that may help you securing your PHP site.
Note that examples are more suited for Linux, Redhat etc. And every-time after changing configuration httpd, Nginx etc. will be needed to restart for enforcing changes.
It is very important to determine the Document Root of a site. This is the location where source code of all the web sites are kept. Generally in Linux, Redhat etc. Operating system default document root is "/var/www/html". Other than web site source code nothing else should be kept in this location. This configuration can be found in "httpd.conf" file.
Websites are vulnerable to different types of attacks. Few of them mentioned below:
3.1 XSS: Cross Site Scripting is an attack in which attacker inserts script inside information requested from a user. Like while entering the full name of a user, attacker can embed JS: Java Script inside. As a result when the full name of that user gets printed then the script get executed in the client/user side because JS is client side language. Using this attacker can divert user towards a malicious site, can try to theft data etc. To get rid of this kind of attack, any data getting from users are needed to be verified and filtered properly. Like a input field destined to take number should be validated on both client side and server side that the input given by user is a number.
3.2 SQL Injection is a well known threat to websites. Due to this attack the information stored in Database can be hampered. It is also like XSS but in this case SQL Query is embedded. Think about a site where users search for people by typing phone number like below:
When users types phone number and clicks search button then in the server below query is executed.
SELECT name,phone FROM people WHERE phone=01****;
But in order to inject SQL we can enter "01**** OR 1=1". As a result the SQL Query will look like below:
SELECT name,phone FROM people WHERE phone=01**** OR 1=1;
Which will in return reveal all the user and their phone numbers. It is a security threat. Moreover SQL Injection can be used to destroy database, remove information, reveal database structure etc.
3.3 Allowing users to upload file can also be a medium of attack. If attacker gets to upload any type of file then the attacker may upload malicious file. To get rid of this kind of attack site owners can disable file upload from PHP configuration. OR during file upload user should only be allowed to upload defined types of files (pdf, jpeg, png etc.) and within defined size (5mb, 3mb etc.)
3.4 If Remote Execution is enabled then attacker will be able to run PHP Script in the server from a remote location. eval() can be used to hide PHP codes inside server. These two can be prevented by changing PHP Configuration.
4. PHP has many different Module to accomplish different tasks Like to work with MYSQL php has "mysqli" Module. To see all these modules just type "php -m" in servers cmd. As a result a list of all modules will be printed. The unnecessary modules can be removed from this list. It will increase the efficiency and security of PHP. Module enable/disable can be found in php.ini file.
[PHP Modules] apc bcmath bz2 calendar Core ctype curl date dom ........
5. PHP send its version information in HTTP header. It can be disabled from PHP configuration. To do that in php.ini below lines should be mentioned.
expose_php=Off ServerSignature Off ServerTokens Prod
6. It is important not to show error details to users. Because in error details there it is mentioned in which line of which file the error occurred as well as the stack trace is printed. This info is of no use to users also can be security risk. It can be disabled from PHP configuration. To do that in php.ini below lines should be mentioned.
7. Another important configuration in PHP is determining HTTP Post size. Bigger requests requires more time for server to process. Attacker can take advantage and send bigger requests to keep system resources busy. It can be mentioned in PHP configuration. To do that in php.ini below lines should be mentioned.
Instead of "1K" server administrator can write the desired size.
8. There are many files related activities takes place in server like reading/writing a file etc. But if reading/writing in any file is permitted then it will be a security threat. Because all files in a server is not for the website. There are OS files, Nginx/Httpd, MYSQL etc. So a specific directory for websites should be selected where no other files will be kept. The configuration is given below.
9. Most of us are aware about PHP Session. Session saves some temporary information of user into server. PHP keeps this session data in file. The location where PHP will keep this session can be mentioned in PHP configuration. Keeping these session files in a public location can pose security threat. It can be mentioned in PHP configuration. To do that in php.ini below lines should be mentioned.
10. It is important to define the Directory Permission of Document Root in PHP configuration. Most of the case the user running PHP is apache or www-data. So the Owner and Group of the document root should be those users.
14. Always keep OS and other software updated.