PHP security PHP security tips
1. Avoid the use of global variables. Hence it must be ensured that register_globals option is not enabled.
2. Use of variables designed to be set by GET or POST requests.
3. Store passwords in an encrypted format
4. Avoid storing credit card and other secured information. Trust a third party gateway.
5. Make use of server side validations and avoid trusting the user input.Example:
if the expected value is integer, use the intval function.
$post_id = intval($_GET['post_id']);
mysql_query("SELECT * FROM post WHERE id = $post_id");
6. Avoid using user input directly in the query. Mysql_real_escape_string()
7. Always use the updated version of php.
How can we encrypt the username and password using PHP?
User names and passwords in PHP can be encrypted using md5 function.
MD5 function calculates the md5 hash of a string. It is basically used for encryption. It is also used for digital signature applications, where a large file must be "compressed" in a secure manner.Example:
Crypt() function can also be used to encrypt a string. It used MD5, DES or blow fish algorithms for encryption.Syntax:
Salt is an optional parameter used to increase the number of characters encoded, to make the encoding more secure.
Explain the changing file permission and ownership using PHP's chmod() function.
Chmod() is used for changing permissions on a file.Syntax:
Mode here specifies the permissions as follows:
- The first number is always zero
- The second number specifies permissions for the owner
- The third number specifies permissions for the owner's user group
- The fourth number specifies permissions for everybody else
Possible values (to set multiple permissions, add up the following numbers)
- 1 = execute permissions
- 2 = write permissions
- 4 = read permissionsExample:
// everything for owner, read for owner's group