For any Web application development ( PHP, Java or .Net), Security wise we must consider 2 major things.
Application hosting is very important in any web application. Without any security in web hosting level, there is no meaning to hosting the application. So we carefully select the best hosting service providers.
So many things we consider the development of PHP web application.
1) Disable the PHP Error Reporting in Production:
Ex:
2) Limit Restrictions
PHP authentication point of view, must follow the server hitting limitations.
Ex: Suppose an anonymous user login to the application with different passwords, In any of the scenario he was succeed to authenticate the application.
In this way we restrict the anonymous user, with limited hitting to the application. So easily restrict the login hackers.
3) MySQL Data Injecting
Data injection is very sensitive and common issue in any application. This is accruing through browser URL's or AJAX requests.
To prevent this injection, use sprintf(), prepared statements and Mysql Real Escape String methods.
4) Input Validation
In any PHP application forms, we know what kind of data you are expecting on input, based on that follow the client side and server side validations. Then easily protect the application against the attacks.
5) XSS Attacks
To prevent this attacks, to filter the data with some predefined keywords.
preg_match(), filter_var() and htmlspecialchars()
Generally these type of attacks are happens to executed with client side scripting.
- First one is Secured Hosting
- Second is Coding level standards & secured code
Application hosting is very important in any web application. Without any security in web hosting level, there is no meaning to hosting the application. So we carefully select the best hosting service providers.
So many things we consider the development of PHP web application.
1) Disable the PHP Error Reporting in Production:
Ex:
error_reporting
(0);
If any Issues, Warning and Errors are displayed in the application, that error represents the folder path, file name & line number. Then public user easily identify the folder & file system of the application. This is also one of the source to attack the application. So use error_reporting
(0);
in production servers.2) Limit Restrictions
PHP authentication point of view, must follow the server hitting limitations.
Ex: Suppose an anonymous user login to the application with different passwords, In any of the scenario he was succeed to authenticate the application.
In this way we restrict the anonymous user, with limited hitting to the application. So easily restrict the login hackers.
3) MySQL Data Injecting
Data injection is very sensitive and common issue in any application. This is accruing through browser URL's or AJAX requests.
To prevent this injection, use sprintf(), prepared statements and Mysql Real Escape String methods.
4) Input Validation
In any PHP application forms, we know what kind of data you are expecting on input, based on that follow the client side and server side validations. Then easily protect the application against the attacks.
5) XSS Attacks
To prevent this attacks, to filter the data with some predefined keywords.
preg_match(), filter_var() and htmlspecialchars()
Generally these type of attacks are happens to executed with client side scripting.