Tech Hub

Website Security

How to Improve Website Security in PHP

When it comes to website security, in addition to securing your hardware and platform, you have to compose your code more securely. Here are some of the best techniques that a developer should learn in order to protect the website from malicious attacks.

Data Input Validation

While designing your application make sure that every data is validating in your PHP code, if you are using JavaScript validation there is always a chance that user might have turned off JavaScript from the browser in that case validation does not occur in your application. Validation through JavaScript is fine but to save your application from these problems you should do validation in PHP file as well.

SQL Injection Attacks

SQL Injection is a type of injection attack that may break down your database, it is one of the most common hacking techniques to destroy your web application. It occurs by the placement of malicious code in SQL statements.

To prevent SQL Injection you should do your database queries using PDO with parameterization and prepared statements.

Take a look at the following code:

1.  <?php
2.  $sql = "SELECT * FROM users WHERE name=:name";
3.  $stmt = $db->prepare($sql);
4.  $stmt->execute(array(":name" => $name));

In the above example, we provide named parameter :name to prepare first, which informs the database engine to precompile the query and attached the values to the named parameter after. When the execute() function execute the query with the actual values of named parameter is executed, in this way, the hacker can’t inject malicious SQL as the query is always compiled and your database is secure.

File System Security

Review all the files that are globally readable to ensure that they are safe for reading by all users who have access to your web application.

Log Errors in Development Phase But Hide in Production

When you finished development and deployed the application on the server, the first thing that you keep in your mind is to disable the display all the errors because sometimes hackers might get some valuable information from errors as well. Set this parameter in your php.ini file.

display_errors=Off

Update PHP Regularly

It is worth remembering that it is not possible for previous versions of PHP to receive security features forever, Support for a PHP version lasts for two years. It means that if you are not updating your PHP version regularly then you will be having a lot of deprecations.

Share Linkedin