How to secure PHP websites from hackers

secure php websites from hackers

secure php websites from hackers

Security is an often overlooked part of PHP programming.It is almost impossible to make your website 100% secure but there are few things you must follow  to secure PHP websites from hackers.Here is the few tips which must be follow by developers to secure PHP websites from hackers.

1.Never Execute Unescaped Queries(Protection against SQL Injection)-SQL Injection is the most well knowledge and still the most used hacking technique.More than lacks of websites are still vulnerable to SQL injection.I am going to show you how this technique work to bypass login credential .In the given example I am going to code a program which will used to login detail of a user.

Here you are expecting that user will enter his username and password and above code will check if it is correct or incorrect .But suppose instead of username and password someone enter  value like this

Username=’ or ‘1’=’1

Password= ‘ or ‘1’=’1

then your query will look like this-

As you know ‘1’ is always equals to ‘1’ so each time query will return true and hacker can easily bypass login process.

Protection-Never pass any user input directly to your query.Always use  mysqli_real_escape_string to protect your query from injections.After apply this function your code will look like this-

It will help you to secure PHP websites from hackers against these types of loopholes.

2.Check  Session in every protected page-After a successful login it is very necessary to check user’s session on each protected page.Better to code a php file which will check user’s session and include this file on every protected page.

3.Always use .php as an extension-If you are planning to use functions like include(),include_once(),require() and require_once() then never use extension like .inc,.ini for files which are going to be include in a php program .Always use .php as an extension because if .php extension will not display the source code where as other extensions may display it when someone opens this files directly through browser.

4.Input Validation-Don’t rely on client side validation scripts  like Java Script program .Anyone can easily bypass these validations.There are lots of program and extension like Data Temper which will help to do so.Always use server side validation.For example if you ask for date of birth to user before inserting it to database check it is valid or not.Here is the code of it

As you know month lies between 1 to 12 ,in case if someone  enters 131 as month then script will catch the error because its length is 3 and it will not insert in database.It will do the same procedure for day and year.

5.Output Filtering-If you are going to display few content on your website which are entered by user then like comments on blog then use Strip_tags() exclude html tags from users comments.It is necessary because few html tags like<script> and <iframe> are very dangerous.Using these tags a hacker can redirect the users from your website to any website and he may steal cookies of your users.It will also help you   to secure PHP websites from hackers against Cross Site Scripting(XSS).

6.Don’t Display Errors-Sometime times error may display valuable information to the hackers like file name,table name,query etc.Use the given code at the beginning of each page-

At the time of development it may create problem for you so don’t use this when you are developing your project.But after using this it you want check the error then open error_log file on your server.

7.Turn off directory Listing-A hacker can easily see all the files available in a folder like opening url like www.example.com/images/ .It will display all the files available in images folder.To avoid such activities add a blank file name index.html to each folder.

These are the basic and must follow points to secure PHP websites from hackers.

  • Sugar Rave

    I like the bit about adding blank index.html files to each directory other than the root. This might even be helpful for plain Html sites where you just don’t want people snooping through your image folders