Secure your PHP code

December 2016



  • It is crucial to ensure secure data from users (forms and urls etc) apart from the OS server and http server mainly because of web attack.
  • There are 3 categories to secure your php code:

Validating the data users


When the site offers forms allowing users to capture and send content, this is not sufficient to indicate the format of entries (e-mail address, telephone number, quantity of products)The server also should be monitored (eg PHP) if the data are conventional to our expectation. Taking whole numbers into consideration, convert all the data sent by the user:


<? $number_of_articles= intval($_REQUEST['number_of_articles']); ?>

Validate data from URL or Forms


Almost all data received are from the URL or forms that the webmaster has set up. Almost all URL display parameters specifying as below:
/index.php?rub=25

This parameter should however not be modified. But this is possible as below :
/index.php?rub=0  
/index.php?rub=  
/index.php?rub=aaaaAAAAAaaaa  
/index.php?rub=1+or+1
  • It is crucial to check out whether the format received through the URL or form is expected whatever the types of data.
  • You can use the function filter_input() to verify same.
  • For example, if you received an email from a user from the format post with field name as email. You can recover same by :


$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);  
if($email){  
    // The email address entry is indeed a mail address format  

}

This function can filter many things: IP address, URL etc. There can be modifications like encoding string before sending through URL as process by htmlentities().
  • Several filters can be combined using "|".
  • To validate an ip addresse only under Ipv4 format:


$ip = filter_input(INPUT_GET, 'ip', FILTER_VALIDATE_IP | FILTER_FLAG_IPV4);
Click on the following link for filters:
http://www.php.net/filter

Skip displayed content of the URL


When the content entered by the user is displayed on the screen it contains HTML or JavaScript code which however makes protection compulsory.
If the content to be displayed in html: you must HTMLencode the setting to convert all characters in equivalent HTML entities. Below is the php function to automate this process:
echo htmlentities($_REQUEST['content']);

If the content should be displayed in a URL: you must urlencode the content.

PHP has two functions to do this encoding: urlencode () and rawurlencode (). The difference between these two functions is the encoding of an area, which in the first function gives and provides %20 and "+" in the second.


echo 'http://www.website?valeur='.urlencode($_REQUEST['value']);


If the content should be stored in a database: it is necessary to escape all characters with a specific role in the database server used. For PHP and MySQL, the function mysql_escape_string () makes all potentially harmful characters in the string passed as parameter.



$query = 'SELECT id FROM matable WHERE user="'.mysql_escape_string($_REQUEST['user']).'"';


Note that the server is configured with PHP option magic_quotes, data transmitted by users are automatically protected with backslashes (backslash). Thus, prior to protect mysql_escape_string, you should "undo" this basic protection:

$query = 'SELECT id FROM mytable WHERE user="'.stripslashes(mysql_escape_string($_REQUEST['user'])).'"';

Related :

This document entitled « Secure your PHP code » from CCM (ccm.net) is made available under the Creative Commons license. You can copy, modify copies of this page, under the conditions stipulated by the license, as this note appears clearly.