Secure PHP Hosting

Security is the utmost importance to us but sometimes security is relied solely on you, the Customer. If you create your own PHP applications; maybe you’re a new PHP developer, you’ll need to take into consideration security of your PHP applications. Some of them include:
• SQL Injections
• HTML & Javascript vulnerabilities in MySQL database values.

Note that all of these vulnerabilities are caused by the programmers themselves in their PHP applications and are not vulnerabilities with the PHP software itself. These vulnerabilities could be prevented in modifications to the PHP configuration but that would mean that 90% of all PHP scripts would probably stop working properly. This is because the 90% of scripts that keep their code secure without the PHP config modification would do the complete reverse and stop working if the config was changed. So this really is an unviable solution for us so therefore it is down to the programmer themself to keep their applications secure. Below we’ll explain about the many vulnerabilities that especiially affect forms used in conjuction with PHP interactivity.
• SQL Injections
This is a big issue and is probably the most lovable thing about PHP to hackers - and it can do disasterous effects to your scripts. SQL injections are where hackers compromise MySQL features in your SQL statements which change the way statements look when executed with a MySQL query. An example being a MySQL comment in a form. Let’s say you had a member system - a hacker could add a MySQL comment to the password field and they’d not need a password at all! If you think logically the SQL statement would be like just SELECTing the username, right? Well the SQL comment does add an AND clause for the password but the value is actually commented out, therefore MySQL accepts it as correct login credentials. To prevent this happening you’d use the mysql_real_escape_string() function which slashes single or double quotations therefore preventing a SQL injection altogether. If you think about it, if the query is like this:

SELECT * FROM `users` WHERE `username` = ‘$value’ AND `password` = ‘$value’

If you slash ‘ it would prevent the value being escaped therefore preventing injections.
• Code in Forms
Imagine you’ve got a form and that form will be submitted to a database and later on retrieved from. If the user adds HTML or even Javascript (which is worst) the user may be able to add redirects or even cause worser attacks using the POST method of the form. If you think about it, a user could be happily submitting data via a form but doesn’t realise there’s a silent Javascript redirect that has a PHP file that’s holding the same POST variables of that page (such as $_POST, $_GET or simply $_REQUEST) and therefore the user’s data is captured quite easily on the external site. To prevent this you can use a variety of options, such as:
• htmlspecialchars() function that turns opening and closing brackets into HTML entities (so it would actually display the brackets and code on the page, instead of parsing it).
• strip_tags() function is a more less-user-friendly option which strips the brackets and HTML/JS code completely.
• preg_match() function is where you can see if the form values have brackets in them and if so refuse the post.

htmlspecialchars syntax: htmlspecialchars($_POST['message'])
strip_tags syntax: strip_tags($_POST['message'])
preg_match syntax:
$str=$_POST['message'];
$look=”/ $look1="/>/”;
if(preg_match($look,$str) || preg_match($look1,$str)) {
echo “Match found!”;
}

For more information you should check out the PHP documentation for list of functions and their uses and explanations at php.net.