Keeping Your PHP Site Safe

Graham Campbell Page 1 of 3

Keeping Your PHP Site Safe

Restri ct PHP Informati on Leakage
To restrict PHP information leakage disable expose_php. Edit /etc/php.d/security.ini
and set the following: expose_php=Off
When enabled, expose_php reports to the world that PHP is installed on the server,
which includes the PHP version within the HTTP header

Di sabling Dangerous PHP Functions
You should disable dangerous functions you dont use
Again, in /etc/php.d/security.ini, you can set: disable_functions
=exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,pars
e_ini_file,show_source

Li mi t PHP Access To Fi l e System
In your php.ini, you can set: open_basedir="/var/www/html/"

Dont Show PHP Errors To The Cl ients
ini_set('display_errors','0');
ini_set('display_startup_errors','0');
ini_set(' log_errors','1');
error_reporting(0);

Di sable PHPs Bad Features
ini_set('register_globals', '0');
ini_set('magic_quotes_gpc', '0');
ini_set('magic_quotes_runtime', '0');

Protecting Against SQL Injection
Using the real_escape_string function can protect against this

Keeping Your PHP Site Safe
Graham Campbell Page 2 of 3
Input Sani tizing Prevent Errors And XSS Attacks
Using preg_replace("/[^A-Za-z0-9 ]/", '', $string) can validate a string
With integers, simply casting the input to an integer with the intval function can
protect us
The htmlentities and strip_tags functions can also be useful
Making something safe to use in a URL can be done with the urlencode function

Use POST for Dangerous Actions
URLs like http://example.com/process.php?action=delete&id=123 are usually a bad
idea

Form Input Protection
Never put any settings in hidden form fields, and expect them to not be exploited
Also, dont expect html5 and/or javascript validation functions to be enough either
these are good for saving server resources by not submitting invalid data, but you
should always use a PHP function to check the inputs server side too

Uploading Fi les
You should disable the upload feature in PHP if you are not using it
If you do us it, never let people upload to areas of your server directly accessible via
the web
The best way is to store the uploaded file in a folder unavailable via a URL and have a
file act as a proxy that grabs the uploaded file and forces an innocent extension

Header Forwards
When redirecting a user with header('Location: example.php'), make sure you
include an exit or die function immediately after to stop sensitive information being
sent to the user

Cooki es
Dont use cookies for important things like setcookie("admin", 1) this can be so
easily exploited
Sessions are much better for things like this

Keeping Your PHP Site Safe
Graham Campbell Page 3 of 3
Sessions
It is possible for sessions to be hijacked through XSS attacks with javascript, or
through network sniffing on an http connection
Preventing javascript XXS attacks can be done with ini_set(session.cookie_httponly,
true)
Preventing network sniffing can only be prevented by using and https connection, or
by the user using a VPN
You can try and prevent a session id being used from network sniffing by adding an
additional layer of security, so if someone does nab the session id, they cant use it
because their IP address is wrong:
If(isset($_SESSION[last_ip]) === false){
$_SESSION[last_ip] = $_SERVER[REMOTE_ADDR];
}
If ($_SESSION[last_ip] !== $_SERVER[REMOTE_ADDR]){
session_unset();
session_destroy();
}

Apache: Mod Securi ty
It has a nice black list of rules that block some common exploit attempts:
<IfModule mod_security.c>
SecFilterEngine On
SecFilterScanPOST On
SecFilter "delete[[:space:]]+from"
SecFilter "insert[[:space:]]+into"
SecFilter "select.+from
</IfModule>