Saturday, 16 April 2016

Secure PHP Application Development Considerations.

For any Web application development ( PHP, Java or .Net), Security wise we must consider 2 major things.

  • First one is Secured Hosting
  • Second is Coding level standards & secured code

Application hosting is very important in any web application. Without any security in web hosting level, there is no meaning to hosting the application. So we carefully select the best hosting service providers.

So many things we consider the development of PHP web application.

1) Disable the PHP Error Reporting  in Production:

Ex: error_reporting(0);

If any Issues, Warning and Errors are displayed in the application, that error represents the folder path, file name & line number. Then public user easily identify the folder & file system of the application. This is also one of the source to attack the application. So use error_reporting(0); in production servers.

2)  Limit Restrictions

PHP authentication point of view, must follow the server hitting limitations.

Ex: Suppose an anonymous user login to the application with different passwords, In any of the scenario he was  succeed to authenticate the application.

In this way we restrict the anonymous user, with limited hitting  to the application. So easily restrict the login hackers.

3) MySQL Data Injecting

Data injection is very sensitive and common issue in any application. This is accruing through browser URL's or AJAX requests.

To prevent this injection, use sprintf(), prepared statements and Mysql Real Escape String methods.

4) Input Validation

In any PHP application forms, we know what kind of data you are expecting on input, based on that follow the client side and server side validations. Then easily protect the application against the attacks.

5)  XSS Attacks

To prevent this attacks, to filter the data with some predefined keywords.

 preg_match(), filter_var() and htmlspecialchars()

Generally these type of attacks are happens to executed with client side scripting. 



MySql Query Optimization Techniques and Good Practices

Several things need to follow at the time of creating the MySQL Tables and Query building.

1) In Select query don't  use the (*) asterisk symbol, instead of using the asterisk symbol  listed the database table column names. Why because select query follows the matrix mechanism at the time of retrieving data from the database table.

2) At the time of build the new Tables must follow the AUTO INCREMENT attribute. Here Auto Increment attribute consider, that column ID is primary key. Based on primary key easily perform the transactions.

3) Avoid to use "TEXT" and "BLOG" data types.

4) ORDER BY RAND() takes the much amount of time to retrieving the data. So try reduce the usage of RAND() attribute.

5) For good practice, table name columns use the  data type of the first character, Then easily identify, which datatype is the particular column at coding level.

Ex:

 iId - Represents the Integer Datatype Column
vTitle - Represents the  Varchar Datatype Column

6)  Don't use the much spaces for column size. We know what data we are passing that particular column, according to that we follow the datatype sizes.

Ex:
Country is the one of the column in our database. Here we need maximum 50 characters only. So we create  varchar country(50) its  enough.

7) Enumeration Data type is one of the most important fast retrieving technique. Instead of using the Integer we try to use enum datatype.

8) For any MySQL attribute , use the capital letters. It is also one of the good practice.

Ex:
SELECT,  INSERT, DELETE, FROM, OR, ORDER BY, LIMIT etc.

9) For single column data retrieving use the LIMIT 1. If we use this, looping is stopped, once that  particular column was detected.

Ex:
SELECT iId,vTitle FROM student WHERE iId = 1 LIMIT 0,1;