April 19, 2010
Common PHP Security Issues
PHP is rapidly becoming one of the most popular general purpose scripting languages due to its design specifically for web development. Also, there are many user-friendly features which make it appealing to new programmers.
Unfortunately accompanying these features is the ability for programmers to inadvertently include security holes into an application. Although PHP can be as secure as any other language, not understanding the procedure causes these avoidable security holes.
There are many security programming issues that may arise during the development of an application. The primary issues include unvalidated input errors, session ID protection, cross site scripting (XSS) flaws, and access control flaws.
Input Errors - The most common type of PHP security issue is undoubtedly unvalidated input errors. This is data provided by users, thus a safe measure is to assume that every user has some type of malicious intent. To combat this issue, validate all user-provided data with the exception of expected data. In general, be as restrictive as possible and if certain pieces of data do not need to be included, reject the code.
Session ID - A session ID is a unique identification number for each user’s session. Unfortunately if the session ID is discovered by another user they can hijack that session and view confidential information. This can be a major security risk within PHP websites, especially those that process credit card numbers. Using an SSL secured connection will help reduce this type of vulnerability.
Cross Site Scripting Flaws - These types of errors occur when a malevolent user embeds scripting commands in specific data that can be viewed and activated by another user. The best method for preventing this type of attack is to stop displaying user-submitted content word-for-word on a website. Another technique is to filter out harmful tags when content is first added.
Control Flaws - The final PHP security programming issue is access control flaws. These flaws occur when specific sections of an application are restricted to specific users. This is commonly found in administration pages that include configuration settings and other confidential information. To defend against this threat, check the user’s privileges upon every load of a restricted page and layer the security.
These are four of the many common security issues found within PHP websites. They can be easily fixed, but if not caught upstream can wreak havoc on the website as well as server. The best method for protection is to review the code for any holes and always assume every user has malevolent intentions.
Popular LinksCategories: Security Issues |
Tags: unvalidated input errors,
session ID protection,
Security Issues,
secuirty holes,
php,
malicious intent,
cross site scripting (XSS) flaws,
access control flaws
Post comment: