When it comes to website security, in addition to securing your hardware and platform, you have to compose your code more securely. Here are some of the best techniques that a developer should learn in order to protect the website from malicious attacks.
Data Input Validation
SQL Injection Attacks
SQL Injection is a type of injection attack that may break down your database, it is one of the most common hacking techniques to destroy your web application. It occurs by the placement of malicious code in SQL statements.
To prevent SQL Injection you should do your database queries using PDO with parameterization and prepared statements.
Take a look at the following code:
1. <?php 2. $sql = "SELECT * FROM users WHERE name=:name"; 3. $stmt = $db->prepare($sql); 4. $stmt->execute(array(":name" => $name));
In the above example, we provide named parameter :name to prepare first, which informs the database engine to precompile the query and attached the values to the named parameter after. When the execute() function execute the query with the actual values of named parameter is executed, in this way, the hacker can’t inject malicious SQL as the query is always compiled and your database is secure.
File System Security
Review all the files that are globally readable to ensure that they are safe for reading by all users who have access to your web application.
Log Errors in Development Phase But Hide in Production
When you finished development and deployed the application on the server, the first thing that you keep in your mind is to disable the display all the errors because sometimes hackers might get some valuable information from errors as well. Set this parameter in your php.ini file.
Update PHP Regularly
It is worth remembering that it is not possible for previous versions of PHP to receive security features forever, Support for a PHP version lasts for two years. It means that if you are not updating your PHP version regularly then you will be having a lot of deprecations.