Security Tips for PHP Developers

PHP is arguably the most powerful of all open-source programming languages. No longer used solely for web pages, it is becoming an increasingly popular tool for stand-alone programs and corporate applications. Despite all its power and flexibility, the PHP framework is far from secure. The countless number of successful hacks on popular web applications such as Drupal, Joomla and Wordpress serve as solid evidence. In this article, we will go over some of the most significant security issues to help strengthen your shared, VPS or dedicated hosting environment

Dangerous PHP Functions

All potentially dangerous PHP functions should be disabled and never used unless absolutely necessary. Three that pose the biggest threats to security are "passthru", "EVAL" and "shell_ exec." These functions can be disabled by editing the "disable_functions" value in the "php.ini" file. EVAL is perhaps the most vulnerable of all because it enables the execution of remote PHP code. If used in conjunction with an insecure global value, this particular function can result in a potentially catastrophic security breach. Because applications such as ImageMagick require shell_exec, you should perform some research to find out which functions are required before disabling them.

Remote URL Injection

When enabled on a server, the "allow_url_fopen" option permits file functions like "file_get_contents()", which could allow data to be retrieved from locations such as a remote website or FTP connection. Since a standard PHP configuration has this function enabled by default, it is highly recommended that it be manually disabled to prevent potentially dangerous code exploits. allow_url_fopen is very rarely used, thus, you should be able to disable it and still enjoy the full functionality of your website.

Insecure Code

There are many aspects that make PHP one of the most flexible platforms for web development. However, it is this very flexibility that often results in security gaps that can lead to a compromised server or website. This is especially true with the widely used web programs coded in the PHP language. Some of today's most popular content management systems have bugs and security holes in the supported plugins and even the core code itself. For this reason, you should make it a priority to run the most recent and secure versions of PHP scripts and remain weary of plugins and modules. In fact, unless their functionality is truly needed, you should try to keep your web application platforms simple with as few extensions as possible.

Conclusion

Programmers these days are faced with significant challenges due to the fact that the list of potential PHP security issues is rather extensive. Even worse, the list continues to expand with the release of each new version. That is why it is a developer's job to take the necessary steps to ensure their code is secure as possible. This can be done by smart coding, only using necessary functions and using updated PHP scripts. In addition, better protection can be assured by doing business with a hosting firm who makes security a priority. In order to give you secure environment for PHP projects, their hosting platform must be properly configured. The combination of an inadequate PHP/web server is one of the major causes of successful security breaches.