Being hacked is very painful and can generate many problems to your business. According to numerous studies, the preferred method for attacking businesses’ online assets is via their Web applications.
There is no such thing as 100% secure, but you can take specific measures to fight against a wide range of attacks and secure your web app as much as possible.
When it comes to application security, in addition to securing your hardware and platform, you also need to write your secure code.
You can never build a perfect system, but the more experience you have the less vulnerable your system is going to be.
Software security covers a very wide area of subjects. To have a secure software application you have to consider many things.
Keep your application secure and less vulnerable to hacking by following these steps:
Input data validation
When you design your app you should be striving to guard it against bad input. The first rule is: don’t trust user input. Even if you app is intended for good users, there is always a chance that some users will try to attack your app by the bad input method.
Always validate data in your PHP code! Even if you are using JavaScript to validate user input, there is always a chance that the user might have turned off JavaScript in the browser. If this is the case, your app will not be able to validate the input.
You can validate your data in JavaScript, but to guard against these types of problems you should re-validate the data in PHP as well.
Guarding Against XSS Attacks
Cross-site scripting attack (XSS attack) is an attack based on code injection into vulnerable web pages. Usually, a web application accepts input from users and displays it in some way: blog posts, comments or threads in the form of HTML code. When the form is submitted, the data is sent to the server and stored into the database. The comment is fetched from database and shown in the HTML page and the JavaScript code will run.
You can protect your application from such attacks. Just run the input data through strip_tags() to remove any tags present in it.
Protecting against SQL Injection
One of the most well-known security attacks on the web is the SQL injection. This type of attacks occurs when data goes unchecked, and the application doesn’t escape characters used in SQL strings such as single quotes (‘) and double quotes (“). Users can exploit the system if this characters are not filtered.
PHP does offer a few tools to help protect your database input. Your variables should be safe to use in queries if you use these functions with a simple call, when you are connected to a sql server.
Use PDO to perform your database queries. You can prevent SQL injection with parameterized queries and prepared statements.
Protecting the File System
As a developer you should be always careful in the way you write your code. Write your code in such a way that none of your operations puts your file system at risk.
Do passwords, remember me and login resets properly
You should make sure you implement all stages of logging in properly in your app.
The remember me functionality should use secure tokens to recognize the user, not storing their credentials in cookies. Also, for the registration and login you should use salting and cryptographic functions like bcrypt to store passwords, not MD5 hashing or plain text.
Security is all about identifying and mitigating possible risks of attack. By keeping the above 5 steps in mind, it’s possible to secure a PHP application to a great extent.