A PHP website developer’s answer to website vulnerabilities

Varun Shridhar
Technical Head

5th February, 2019

A secure website is a happy website. The following simple security measures can make sure your website is protected from Cross Scripting, SQL Injection, Sniffing etc.

Websites have been around for a long time. As have hackers. Nobody is a stranger to either of them. It, thereby, makes sense to ensure your code, which is fed by endless hours of hard work and neck pain, is not exploited by someone. 

As a fellow developer, I can relate to the same and hence thought of sharing a few basic security measures that will definitely make your website less susceptible to hacking efforts.

  • Install a security certificate on your domain (Some don’t even require money): Having a security certificate relieves you of the woes that snoopers come bearing. Most snoopers will be unable to get passwords or any information (transmitted from client’s machine to server) once you have a security certificate on your domain. Moreover, you should redirect all HTTP:// traffic to HTTPS:// to ensure that an encrypted channel is always used for cookies and other transfers of data between the client-side device and the server. I’m sure you’re still stuck on the ‘don’t have to pay’ part. You can easily get a Let's Encrypt security certificate from their website or could get one from Certbot if you have shell access. 

  • Captcha for bots: It's definitely annoying when you excitedly open a response to your ‘Contact Us’ form only to realise the user's email is habsduy@kjadnjakfn.com and they want to say "asdj kkn out wgrywanie u9789 " to you. Jokes aside, it is important to have Captcha on all your forms to prevent malicious bots from spamming your website. I personally recommend reCaptcha by Google which takes the need to process away from your server and solely rests that responsibility on Google. All you have to do is verify the response and Viola! you now know the user is a human and not a bot spamming your website.

  • Sanitise and Filter the user inputs: Make the preg_replace() [inbuilt PHP function] function your best friend. It's one of the most flexible ways of filtering user inputs. The most common application of this is $string = preg_replace('/[^A-Za-z0-9\-\/\(\) ]/', ' ', $string). Using this PHP function means that anyone wanting to make changes on the back-end to your website, without even having access, cannot. As scary as that can be, these risks can be avoided with simple instructions. 

  • Never Trust GET[] or POST[] data: This follows a similar vein as Point 3 where you should never trust the user. All input data is to be treated as malicious code. Period. For instance you have 3 services which follow the URL tag example.com/service.php?name=service1 or example.com/service/service1 and using the slug("service1") you put the of the page as Service1 (simply capitalising the first letter). This is a very bad situation as someone can easily change the URL to example.com/service/ to check if they can run scripts on your server and when an alert box will open up, they will run more harmful scripts. Therefore it's not only important to sanitise your GET and POST variables, but also necessary to check them if they correspond to a valid page or in this case to either "service1/2/3".’</p></li><li dir="ltr"><p dir="ltr">"Required"? I don't think so: While validating a form on the server end, always verify the if a "required" variable is actually received because it's easy to edit the HTML code and move that tag. Removing the required tag will actually serve as a bug solution in some cases of locally setting up a website for Magento 1.</p></li><li dir="ltr"><p dir="ltr">Parameterised SQL Query: Make sure all your SQL queries are<a href="http://php.net/manual/en/pdo.prepared-statements.php"> parameterised</a>. This is your one-stop shop to prevent SQL injections. Incorporating this SQL query should be incorporated early on and you should make it a mandatory practice. A user can write an SQL query as an input and this will be executed unless it’s converted to a string (which is what parameterisation enforces). Follow this<a href="https://stackoverflow.com/questions/4712037/what-is-parameterized-query"> thread</a> on Stack Overflow gain more insight into the same.</p></li><li dir="ltr"><p dir="ltr">Always #:  Any sensitive information which is shown on the client's side should be hashed. This includes login information storer which is not a-z, A-Z, 0-9, '-', '/','(' or')' should be replaced by single quotes (‘‘) or no space. To restrict it for slugs, remove the hyphens and the round brackets and you'll be good to go.Use this<a href="https://regex101.com/"> friendly tool</a> to check your regex expression before implementation. This is also valid for file uploads where you must check the type and size of the file before uploading it to a server.</p></li><li dir="ltr"><p dir="ltr">Add X-Security Header in your .htaccess:<a href="https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)"> XSS</a>,<a href="https://www.owasp.org/index.php/Cross_Frame_Scripting"> Page Framing</a> and<a href="https://www.keycdn.com/support/what-is-mime-sniffing"> Content Sniffing</a> are major security risks. These techniques revolve around running malicious scripts on your server by exploiting security vulnerabilities. Add the f<a href="https://htaccessbook.com/increase-security-x-security-headers/">ollowing lines of code</a> and you're good to go.</p></li><li dir="ltr"><p dir="ltr">Secure your cookies: If your cookies are being generated using an http request, a malicious user can run a TRACE request along with XSS and get the cookie information. However, if you're following the steps mentioned which include forcing HTTPS and hashing your cookie data you'll be A-okay. But being doubly secure never hurt anybody. Follow the accepted answer on<a href="https://stackoverflow.com/questions/22221807/session-cookies-http-secure-flag-how-do-you-set-these"> this thread</a> and now you've secured your cookies and will be good to go with nothing to worry about!</p></li></ul><p dir="ltr">Adding security features to your website, is an ever-evolving process, credits to the advancing technologies and advancing mechanisms to hack. These are some measures that have helped me along the way. Maybe a couple of months down, and I will have an updated version to this article.</p><p dir="ltr">Stay tuned.</p>

Get the knowledge and inspiration you need to build a profitable business — straight to your inbox.

No charge. Unsubscribe anytime.
Card image cap
Are fair trials possible in today’s world of social media?

The world wide web connects millions by transcending geographical boundaries, dismissing time zones and redefining 'accessibility'. However, while the internet, especially social media, has...

Ashwarya Shukla - 8th March, 2019

Read more »
Card image cap
How Diversity And Inclusiveness At Work Can Boost Productivity

Inclusion means making room for everyone’s knowledge, outlook, thoughts, methods and preferences. Maintaining heterogeneity and fostering an inclusive work environment is imperative when it...

Preeti Sharma - 1st March, 2019

Read more »
Card image cap
Sexual Harassment At Work - The iarani Way Of Dealing With It

Every organisation has its own way of keeping sexual harassment at bay. In this article we present a few examples of things companies do to create a safe workplace for employees. We also talk about...

Preeti Sharma - 22nd February, 2019

Read more »