I understand what a lot of you are thinking! What’s the connection between PHP and security? What’s the point? Switch to a different programming language!
Despite common assumptions, PHP is still a viable language for developing online applications. PHP is just another tool you’ll have to learn how to utilize effectively. Let’s go through a few PHP-specific points that will make your site more secure.
1. Keep your website’s index.php and asset files to a minimum.
2. Disable Display Errors
With the display errors php.ini directive, you can tell PHP to show errors during execution. The mistakes that appear can expose sensitive information about your programs, such as secrets and SQL queries. In production, it’s critical to switch them off. Set display errors = Off and display startup errors = Off in your php.ini file. Turn on log errors = 1 and error log = /var/log/php-error.log to collect errors for debugging. The error log can be configured to any file path or an OS-level log service.
3. Store your passwords with the password hash.
It is general knowledge that passwords should never be stored in plain text. Many frameworks, however, continue to employ insecure hashing techniques to convert passwords (I am looking at you WordPress). Some older publications may propose hashing passwords in PHP using the md5 or hash functions. Could you not make use of them? The password hash function is the best way to hash a role in PHP.
The plain text password is passed to the password hash function and an algorithm type (PASSWORD DEFAULT is a safe choice). When the user logs in, the function returns the hashed password, which you may use later in the password verification. If the hash matches the given password, Password Verify returns true or false. If you encounter an article suggesting salting your passwords, don’t worry about it because password hash doesn’t use salts. The program automatically salts the password for you.
4. Encrypt all data transmissions
You’ll frequently need to interface with other services or storage methods in your PHP program. You must use encrypted connections to the services at all times. Always use https URLs to APIs when using curl or soap to secure the data in transit. Furthermore, if you’re using FTP, ensure you utilize a secure version, such as FTPS or SFTP. You risk leaking user data via network activities if you don’t use secure communication. TLS also confirms that the URL is what it purports to protect you from transferring sensitive information to a malicious actor.
5. Make the most of a template framework