Make these mistakes and hackers will attack your web application using Cross Site Scripting, SQL Injection, Path Traversal, and other attacks to take over your website.
Let's review common mistakes and their prevention methods.
Below code is enough to create a XSS vulnerability in your website.
echo '<p>' . $_GET['name'] . '</p>'; // vulnerable to XSS
Never directly use user input for generating response contents. You have to use proper encoding on user input to escape any dangerous code. PHP has the build-in
htmlentities() function to encode html special characters which you can use.
echo '<p>' . htmlentities($_GET['name']) . '</p>'; // safe code
Sometimes user input is used indirectly for generating a page. For example, user input might be saved in a database before being used in the response.
Generating and using file paths that contain user inputs is one of the most dangerous mistakes that can cause critical vulnerabilities like:
- Local File Inclusion
- Remote File Inclusion
- Remote File Disclosure
- Remote URL Inclusion
- Path Traversal
Below code is an example of a file inclusion vulnerability.
include $_GET['file']; // vulnerable to remote/local file inclusion
To prevent file inclusion vulnerabilities:
- Resolve all relative paths containing
../to absolute paths and make sure the final file is in the directory where it should be.
- Try to accept only whitelisted inputs whenever possible
- Check for invalid characters in the filename like null byte, questions mark, semicolon, etc.
- Do not include URLs starting with a scheme (http://, ftp://, etc.)
Creating SQL queries using user input allows users to manipulate the original SQL command and inject their arbitrary command. This is called SQL Injection. Hackers can exploit SQL Injection vulnerability to execute commands like
drop on the database or execute system commands.
<?php $db = new SQLite3('products.db'); $id = $_GET['id']; // below line is vulnerable to SQLI $name = $db->querySingle("SELECT name from products where productId=$id"); // below line is not vulnerable $name = $db->querySingle("SELECT name from products where productId='" . SQLite3::escapeString($id) . "'"); echo $name ;
It's always a good practice to use prepared statements for creating SQL queries to prevent SQL Injection. Another method to avoid SQLI is to escape special characters in the user input (like the above example).
Below commands in PHP allow execution of either PHP code or OS commands.
Passing user input as arguments to the above functions can cause command execution vulnerabilities where hackers can execute arbitrary commands on the server. Consider below code as an example:
$ip = $_GET['ip']; echo exec("ping $ip");
The above code is a ping service where users can ping any IP. If a user enters
1 & echo 123 as an IP address then the command
echo gets executed on the server.
How to prevent command execution vulnerabilities:
- Avoid using functions like
- Accept whitelisted inputs
- Check inputs for special characters like &, semicolon,
popen()function can also be used for command execution indirectly. So be careful when using it.
Redirecting a user in PHP is common and easy. It can be done using below code.
header('Location: ' . $_GET['url']); // vulnerable code
But this is vulnerable! It can be exploited to redirect the user to any other website.
To prevent open redirections, make sure the URL is not an off-site link before redirecting the user.
PHP errors disclose information like path/files, database errors, OS type, and some other information. Displaying any kind of PHP errors on production helps hackers to break into your website easier.
error_reporting(E_ALL); // bad code for production error_reporting(); // safe for production usage
phpInfo() function displays a huge amount of information. PHP version number, active extensions, configurations, and system paths are a few examples of such information. This information can be used by hackers to learn about the server and craft their attacks to be more successful.
To avoid any information disclosure it's better to never use the
phpInfo() function on production servers.
Dealing with user inputs in PHP applications can be tricky and prone to different vulnerabilities. XSS, SQL Injection, and local file inclusion are a few of explained vulnerabilities related to user inputs. Make sure you have strict checking for user inputs and avoid using risky functions like
phpInfo() to have a more secure code.