DEV Community

Cover image for Security Tips for a PHP Application

Security Tips for a PHP Application

Andrew Davis on August 07, 2018

I know what many of you are thinking! PHP and security? Why bother? Just use another programming language! Contrary to popular belief, PHP is stil...
Collapse
 
gabeguz profile image
Gabriel Guzman

As an addendum, I'd add: "Learn about SQL injection." This is still the most common attack vector against a web application. Most modern frameworks will protect you from this, but you should absolutely know what it is, how it works, and how to avoid being open to it.

Collapse
 
jvanbruegge profile image
Jan van Brügge

It's so sad that it still is. I mean it's a solved problem, just use prepared statements and you are save!

Collapse
 
shostarsson profile image
Rémi Lavedrine

Yes, and you can't imagine how many website are vulnerable to this kind of attack and XSS and CSRF as well.
Even if they are well known and have great mitigation techniques.
Follow secure tips like the ones described here and the OWASP documents and you are good to go.

Collapse
 
kip13 profile image
kip

Yes ! I recommend this short but useful resource, also the same site have a good resource about PDO

Collapse
 
slaffik profile image
Slava Abakumov
Collapse
 
erikthiart profile image
Erik Thiart • Edited

PHP7 is probably the best web language in existence today.

In the world of Python and Ruby, building websites from the ground up is tiresome because neither Python nor Ruby was originally created to build websites. As a result general-purpose frameworks such as Django and Ruby on Rails quickly became popular for building websites in these languages.

PHP on the other hand was created in the beginning by Rasmus Lerdorf as a set of tools written in C that would enable you to easily and quickly develop dynamic HTML.

Collapse
 
scottharrisondev profile image
Scott Harrison • Edited

Great post Andrew! I think these tips are great as a checklist of sorts to go through when developing/deploying a new PHP site such as turning off verbose errors etc. but I think it's just as (if not more) important that as developers we understand the ways in which our applications and websites could be attacked.

Using frameworks is a good way to protect against these sorts of exploits however it is much better if the dev understands the way in which the framework is protecting them as it is still rather easy for an uninformed dev to code around the protections most modern frameworks offer (raw DB queries etc.) without realising that they may be compromising the security of their application.

Check out this course: hacker101.com/ I completed it recently and it truly does open your eyes up to some of the super complex ways people are able to exploit websites.

Collapse
 
antogarand profile image
Antony Garand

You should also use password_needs_rehash once you verified a password, this ensures that you keep the most up-to-date hashing algorithm.

Collapse
 
kip13 profile image
kip

Another development secure tip is use env variables to config

Collapse
 
theodesp profile image
Theofanis Despoudis

I would add another one: Use a well-supported Web Framework

Collapse
 
lily260787 profile image
Lily260787

Phew, I had it all ;)

Collapse
 
omgzui profile image
omgzui

It's good

Collapse
 
pvw_nl profile image
Peter 👨🏻‍💻

I'd like to add one more, use security tokens. A security token makes sure the client did sent a certain request to your application. I'm maintaining the following open-source PHP package: CSRF Protection where you can use tokens and validate them without too much boilerplate code.

Collapse
 
llarruda profile image
Leandro Arruda

Recently I see about the secure way to use php tags in plain HTML. But I do not remember if it is <? some php code ?> or in another variation. Can anyone tell about the recommend tags php inside html?

Collapse
 
sixolisemaboza profile image
Sixolise Maboza

Great post Andrew!

Collapse
 
_shahroznawaz profile image
Shahroz Nawaz

Hey, I've tried to cover few PHP security tips in detail here: cloudways.com/blog/php-security/

I hope you like it and feedbacks are welcome.

Collapse
 
siteantipas profile image
Site Antipas

Thanks for this guide

Collapse
 
vlasales profile image
Vlastimil Pospichal

XSLT is the best template framework.