PHP is one of the backend programming languages which is very popular among developers. Because PHP is an open source programming language, has a good structure, and is easy to use.
But when you choose PHP programming as the backend of your website, you need to pay attention to the security of the PHP program that you create. The goal is that the website you create is not easily hacked by hackers.
Usually hackers will target visitors’ personal data, sell illegal products on the website without your knowledge, steal money from transactions you make, and display advertisements that will slow your website down.
Fortunately, there are several solutions to increase the security of your PHP program. That’s what we will cover in this guide. To make it easier for you, we will explain several attacks on PHP and provide solutions to avoid PHP attacks.
Table of contents close
1 3+ Examples of PHP attacks
1.1 1. Cross-Site Scripting (XSS)
1.2 2. Session Hijacking
1.3 3. Cross-Site Request Forgery (CSRF)
1.4 4. Prevent SQL Injection Attacks
2 7 PHP Security Tips You Must Know
2.1 1. Use htmlspecialchars
2.2 2. Save Session with IP
2.3 3.Use PHP Data Objects (PDO)
2.4 4. Hide Files from Browser
2.5 5. Root Document Settings
2.6 6. Always use SSL
2.7 7. Update PHP regularly
3 Now Are You Ready To Protect PHP Security?
3+ Examples of PHP attacks
The following is an explanation of four examples of attacks on PHP. From these four examples, we hope to help you understand how attacks on PHP occur.
- Cross-Site Scripting (XSS)
Cross site scripting is one of the most dangerous external attacks that is carried out by inserting malicious code or scripts into a website. These scripts can affect website performance and are often used to steal data.
Usually hackers force access to your website. The goal is to get access to cookies , sessions , history , and so on. The impact of XSS is not only from the side of the website owner, but also from website visitors. Visitors will usually get a website display full of advertisements or foreign languages that cannot be read.
- Session Hijacking
Session hijacking is an attack that is often used by hackers to retrieve data in the form of your session ID. The goal is to get the account access that hackers want. For example, website login accounts, databases, and user data.
By using a session ID, hackers can validate your session. You do this by sending a request to the server. Then search the $ _SESSION array to find session accounts / data without your knowledge. This method is usually done after going through Cross Site Scripting (XSS).
- Cross-Site Request Forgery (CSRF)
In a Cross site request forgery (CSRF) attack, hackers can perform unwanted actions on a website. By using CSRF, hackers will get full website access. so that hackers can modify website data or modify program functions.
This attack will force the user to change requests, such as transferring funds without realizing it or even deleting all data in the database. A CSRF attack can only occur when you click on a link that has been sent and is disguised by a hacker.
The following is a GET request that the hacker has inserted into your website code to send money to another account.
GET http://bank.com/transfer.do?acct=TIM&amount=100 HTTP/1.1
Now, if you click on the link below, you will automatically send money to another account with the amount indicated.
http://bank.com/transfer.do?acct=Dapit&amount=100000
These links are usually sent via email disguised as a file or image that allows you to click on the file.
- Prevent SQL Injection Attacks
SQL injection is the most common attack on PHP scripts. One query request can compromise all of your website data. In this attack, hackers will usually try to modify the data you send via queries.
Suppose you are directly processing user data in an SQL query, and suddenly, the hacker is secretly using a different character to bypass your account. That means, the hacker’s account will take over access from your account.
As an example, see the SQL query below.
$sql = “SELECT * FROM users WHERE username = ‘” . $username . “‘;
The query $ username can contain modified data. So from these queries can damage the database including deleting the entire database in just a blink of an eye.
7 PHP Security Tips You Must Know
Well, you already know the various types of attacks on PHP security. Now is the time for you to find out various ways to improve PHP security.
We aim at PHP security tips below for those of you who have just started website development. Especially for those of you who are still learning about the PHP programming language. The method below does seem basic, but don’t underestimate the effect.
- Use htmlspecialchars
To be able to view suspicious scripts and avoid Cross-Site Scripting (XSS) , use htmlspecialchars in your PHP code . This will help you convert characters in PHP to HTML form. For example:
- & (sign “and” or ampersand ) → & amp;
- ”(Double or double quote ) → & quot;
- ‘( single quote ) → & # 039;
- <(sign less than or less tha n) → & lt;
- > ( greater than or greater than sign ) → & gt;
You can also use ENT_QUOTES in your website code. ENT_QUOTES will convert single and double quotation marks (“and ‘) into HTML form. That way, you can more easily check suspicious scripts.
- Save Session with IP
To prevent session hijacking , you should always save the session with a special IP address that you use frequently. The trick, add this code into your script.
$IP = getenv ( “REMOTE_ADDR” );
This method can help you to cancel the session every time there is a suspicious request and without your knowledge. The code above will also provide information that someone is trying to access your session.
3.Use PHP Data Objects (PDO)
To avoid SQL injection attacks , you must use PHP Data Objects or PDO. PDO is an additional extension that helps you securely access databases. It doesn’t matter what kind of database you use.
However, PDO cannot be used to edit SQL or add certain features. But precisely because of that, you can avoid SQL injection attacks.
- Hide Files from Browser
PHP framework that uses the MVC (Model View Controller) architecture, Laravel or CodeIgniter for example, has a structured file directory view. Not all files will be processed by the browser. However, the file is still visible.
Here, the problem is. Most lay developers put all website files in the root directory . This makes it easier for hackers to break into important website data. Because the browser can see all these files, it will be easy for hackers to insert malicious code / scripts into your website.
The solution, move files from the root folder into the public server folder . The goal is that the web browser does not easily see important files from the website.
- Root Document Settings
The document root for any PHP application on any server must be set into the / var / www / html directory so that users can access your website via a browser. But in some cases, when you are developing APIs with frameworks like Laravel and CodeIgniter you will need to update the webroot to the / public folder .
The purpose of setting the webroot to var / www / html / public is to hide sensitive files like .htaccess and .env which contain environment variables, database access, email, payment APIs, etc.
- Always use SSL
All modern web browsers such as Google Chrome, Firefox, Opera, and others, always recommend using the HTTPS protocol for websites. Because HTTPS provides a secure and encrypted access protocol for untrusted sites.
SSL certificates also strengthen your website against XSS attacks and prevent hackers from pasting code into your website. To get an SSL certificate you can follow the guide on the free SSL article on our blog.
- Update PHP regularly
Currently, the most stable and newest PHP version available is PHP 7.4.5 . I suggest you have to update your website to use the latest PHP version.
If you are still using PHP 5.6 then you will have many problems updating PHP. Because you also need to update your website code and change some logic functions such as password hashing and others.
If you are using PHPStorm then you can use the PHP 7 Compatibility Inspection, which will show you which code is causing the error.
Now Are You Ready To Protect PHP Security?
The PHP programming language has always been vulnerable to external attacks. But if you use the PHP security tips that we have provided above, you can easily secure your website from hacker attacks.
Apart from these PHP security tips, there are many techniques that can help you secure your website from external attacks, such as using the best cloud hosting that has security features, DdOS protection, malware protection, free SSL and others.
