5 PHP Security Measures

Jul 5, 2012
PHP
By

For many years, PHP has been a stable, inexpensive platform on which to operate web-based applications. Like most web-based platforms, PHP is vulnerable to external attacks. Developers, database architects and system administrators should take precautions before deploying PHP applications to a live server. Most of these techniques can be accomplished with a few lines of code or a slight adjustment to the application settings.

#5: Manage Setup Scripts

If the developer has installed a set of PHP scripts from a third-party application, the scripts the application uses to install the working components can also provide an access point to unscrupulous users. Most providers of third-party packages recommend removing the directory containing the setup scripts shortly after installation. For developers who wish to retain the setup scripts, they can create an .htaccess file that controls access to the administrative directories.

AuthType Basic
AuthName “Administrators Only”
AuthUserFile /usr/local/apache/passwd/passwords
Require valid-user

Any unauthorized user who attempts to bring up a protected directory will see a prompt for a username and password. The password must match the assigned password specified in the “passwords” file.

#4: Include Files

In many instances, developers may use an individual file in several portions of an application. These scripts will contain an “include” directive that incorporates the code of the individual file into that of the originating page. When the “include” file contains sensitive information, including usernames, passwords or database access keys, the file should have a “.php” extension, rather than the typical “.inc” extension. The “.php” extension insures that the PHP engine will process the file and prevent any unauthorized views.

#3: MD5 vs. SHA

In situations where end users create their own usernames and passwords, site administrators will often include functionality to encrypt the password data before the form submits the form field entry to the database field. In past years, developers have used the md5 (Message Digest algorithm) function to encrypt passwords into a 128-bit string. Today, many developers use the SHA-1 (Secure Hash Algorithm) function to create a 160-bit string.

#2 Automatic Global Variables

The php.ini file contains a setting called “register_globals”. When the register_globals setting is on, the PHP server will create automatic global variables for many of the server’s variables and query strings. When installing third-party packages, such as content management software like Joomla and Drupal, the installation scripts will direct the user to set register_globals to “off”. Changing the setting to “off” insures that unauthorized users cannot access data by guessing the name of the variable that validates passwords.

#1 Initialize Variables and Values

Many developers have fallen into the trap of instantiating variables without defining their values, either due to time constraints, distractions, or lack of effort. Variables that validate the authentication process should have values instantiated before the login procedure begins. This simple step can prevent users from bypassing the verification routine or accessing areas of the site to which their privileges do not entitle them.

These steps can block users from starting a new session on an application, but what about protecting data during a session?  Next week’s lesson will examine PHP session security.

Author: Gerald Hanks
Gerald Hanks has been involved in web development applications since 1996. He has designed applications with JavaScript, ASP.NET and PHP, as well as building databases in MS SQL Server and MySQL. He lives in Houston, Texas.
  • http://rmcreative.ru/ Sam Dark

    #2 is deprecated. In recent PHP versions it doesn’t even exist.
    #3 is simply wrong. SHA-1 is outdated as well as MD5. Consider bcrypt.

    • Trevor Geene

      I realize MD5 is a little out dated, is bcrypt really the way to go? It is not even a built in function for PHP. You have to build your own function to use it.

      • ircmaxell

        Yes it is. It has been provided in every single PHP distro since 5.3. See crypt()…

        When will the madness end?

        • http://www.heemels.com yggdrasil

          Crypt() is definitely not bcrypt! Bcrypt is not included in core, but has been proven again and again to be the way to go for encrypting credentials.

          • ircmaxell

            crypt with the $2y$ prefix is definitely bcrypt. And I would expect someone who is knowledgeable about such things to know the difference between encryption and hashing…

          • http://www.heemels.com yggdrasil

            Yeah, I do know the difference but couldn’t correct my faulty text without starting fresh. Chrome on iOS has some issues with the Disqus textarea. I hoped you wouldn’t mind :-)

            I stand corrected on the PHP 5.3 crypt() function, though I suppose you meant $2a$ for CRYPT_BLOWFISH since $2y$ doesn’t appear to exist. I wasn’t aware there was a good slowhash implementation in core now. Another reason for promoting 5.3.

  • http://profiles.google.com/petah.p Petah Piper

    If you are using MD5 or SHA for password hashing YOU ARE DOING IT WRONG!

    Use bcrypt ot PBKDF2

    I can crack an 8 character password SHA1 hash on a standard desktop computer (< $500 USD) in less than 1 hour.

    • Wadim Brechow

      Add 30 chars of “Salt”, and you need next 2.000 years (with your current computer).
      btw. I´m using SHA256, with dymamic and fix salt.

      • nikic

        A salt does in no way change the time you need to crack a single password hash. It only prevents amortization of the time needed over multiple hashes.

  • http://www.facebook.com/profile.php?id=9106775 Jeff Jason II

    Given how amazingly inaccurate #3 is, you should probably go work for LinkedIn. I hear they like people who have no clue about how to properly secure login credentials over there.

  • http://twitter.com/danaketh Dan

    #3 Today, many developers are still living in dark ages, leaving their passwords poorly protected. I’ve seen a lot of apps that are still keeping their passwords in plaintext and same amount of app with passwords hashed with MD5 and SHA1. Both have been compromised and can be cracked easily. Both MD5 and SHA1 have a limited amount of hashes they can generate (there are same hashes for two or more different values). Decent password protection begins with SHA256 and salting (those who are really cool are using both per app and per user salts) or stuff like bcrypt (and salting).

    There’s nothing wrong with being paranoid when it comes to protection of passwords. Many ppl use the same password for everything around the internet, so making everything you can to make sure nobody will get user’s password from your app is a sign of a good developer.

  • dangermouse437

    If any developers are using SHA-1 to encrypt their passwords, then they need to be immediately fired.

  • Ali Qayyum

    MD5 technique is much easier for me

    • http://www.heemels.com yggdrasil

      “easier” should never be the deciding factor when implementing security.

  • http://www.facebook.com/profile.php?id=223701176 Andy Tait

    How would one go about converting existing sha1 encrypted passwords so they are compatible with bcrypt?

    • http://www.heemels.com yggdrasil

      I don’t really see a way to convert existing passwords since they’re one-way hashed with SHA1. We implemented an automatic migration.

      When a user logs in he/she needs to provide the original password anyway. Verify this password against the SHA1 hash and, if correct, migrate the user’s profile to a new db-table that uses bcrypt. You can mark the old one as migrated so you don’t have to check that user again.

      Depending on site-usage, after a few months many accounts will have been migrated. Mail the remaining users to trigger them to login as well. Any remaining accounts that are still not migrated should probably be locked, which would force them to reset their passwords and migrate the account.

  • http://nicholashayden.webnode.com/ Justin Wyatt

    In many instances, developers may use an individual file in several
    portions of an application. These scripts will contain an “include”
    directive that incorporates the code of the individual file into that of
    the originating page..

  • http://orlipaul.angelfire.com/ Risa Lee

    You will get several web development companies who proffer turnkey web development solutions for organizations from different industrial sectors..

  • http://goarticles.com/article/Determine-the-Advantages-That-Joomla-Development-Could-Offer/7143972/ AltheaGaines

    You ought to search into the brand upgrades accessible for BE blogs. I consider yours may really benefit from it.

  • http://www.biztechconsultancy.co.uk/php-web-development.htm PHP Web Development

    All 5 PHP security measures are very helpful. I always keep these measures on mind while any application development.

  • http://www.openxcell.com/ arnoldgarrets

    PHP application calls for security which is the primary need of all PHP developers. One must follow the stated measures to achieve the level of security for their apps.

  • http://www.parajuego.com/ Para juego

    does it really work? I’ve tried a few ways and did not see anything improve. 5 I will try your way, I hope it will be good

  • Facebook User

    Nice article! I really like the
    information shared by you hire mobile app developer