- Feb 20, 2012
- by Brad Litwin
The most commonly exploited vulnerabilities are usually the ones easiest to avoid. That is to say, most of the exploits an attacker might use to gain unintended access to your site or database result from bad coding practices rather than bugs in the software platform (such as a LAMP stack). Let’s focus on some practices PHP developers can adopt to combat some of the most common attack vectors. These are really simple and hopefully advanced developers are already living by them.
Use a framework, PDO or prepared MySQL statements. This one is easy to skip over when you’re in a hurry, but it’s how you can avoid the other most common security vulnerability; MySQL injections. You might think you’re safe simply using mysql_real_escape_string, but it’s not enough. To truly protect yourself from MySQL injections, you should be using either a class which creates prepared statements and sanitizes inputs for you, or at least preparing your own statements before execution.
Validate all user input. Have specific constraints of what kind of data you’re willing to accept from user input, and make sure the values of those variables matches what you’re expecting. Not only for values you are expecting the user to supply, but also for values the user is *capable* of changing, those you aren’t expecting such as GET and POST fields. You might think it’s safe to simply read “./sections/$_REQUEST[‘section].tpl”, process it and output the result, but if a malicious user supplies an unexpected value such as “../config/dbconfig.php; “, you have a serious vulnerability. Make sure any values that can be supplied by the user conform to expectations before using them.
These are just three very simple tips for avoiding common attack vectors, but there’s much more out there. Make sure you’re up to date on the current Best Practices and employ them in your code. Don’t wait until after your site is compromised to start worrying about these issues.
If you’re looking for a PHP host who cares about site security just as you do, visit A2 Hosting now!