Security Tips for a PHP Application

I understand what a lot of you are thinking! What’s the connection between PHP and security? What’s the point? Switch to a different programming language!

Despite common assumptions, PHP is still a viable language for developing online applications. PHP is just another tool you’ll have to learn how to utilize effectively. Let’s go through a few PHP-specific points that will make your site more secure.

1. Keep your website’s index.php and asset files to a minimum.

In modern PHP, you’ll point your webserver to a directory containing an index.php file, which will act as the site’s single point of entry. The index.php will load Composer packages and start your secret code to build the response. It’s tempting to try by putting other PHP files in the webroot. While, you don’t want those files to be committed by mistake, causing a bug in your software. Furthermore, no configuration files should be placed in the webroot because the web server can make them available. JavaScript, CSS, and image files are the only static items that should be in your site root.

2. Disable Display Errors

With the display errors php.ini directive, you can tell PHP to show errors during execution. The mistakes that appear can expose sensitive information about your programs, such as secrets and SQL queries. In production, it’s critical to switch them off. Set display errors = Off and display startup errors = Off in your php.ini file. Turn on log errors = 1 and error log = /var/log/php-error.log to collect errors for debugging. The error log can be configured to any file path or an OS-level log service.

3. Store your passwords with the password hash.

It is general knowledge that passwords should never be stored in plain text. Many frameworks, however, continue to employ insecure hashing techniques to convert passwords (I am looking at you WordPress). Some older publications may propose hashing passwords in PHP using the md5 or hash functions. Could you not make use of them? The password hash function is the best way to hash a role in PHP.

The plain text password is passed to the password hash function and an algorithm type (PASSWORD DEFAULT is a safe choice). When the user logs in, the function returns the hashed password, which you may use later in the password verification. If the hash matches the given password, Password Verify returns true or false. If you encounter an article suggesting salting your passwords, don’t worry about it because password hash doesn’t use salts. The program automatically salts the password for you.

4. Encrypt all data transmissions

You’ll frequently need to interface with other services or storage methods in your PHP program. You must use encrypted connections to the services at all times. Always use https URLs to APIs when using curl or soap to secure the data in transit. Furthermore, if you’re using FTP, ensure you utilize a secure version, such as FTPS or SFTP. You risk leaking user data via network activities if you don’t use secure communication. TLS also confirms that the URL is what it purports to protect you from transferring sensitive information to a malicious actor.

5. Make the most of a template framework

In HTML files, PHP is frequently used as the template language. PHP, on the other hand, does not escape output by default. Running prevents dangerous JavaScript from being embedded in user-controlled forms or pages. Consider utilizing Twig, a custom template option. Twig safeguards you from forgetting to escape user data by automatically running every output using its template syntax.