Using PHP on Your Web Site

Careers | Forums | Blog | Contact | Chat Now Chat

| Client Login

Resource Center

Photo Galleries

Wallpapers

> >

Using PHP on your web site

By Jeff Leggett

PHP is a very popular scripting language that is especially suited to Web Development. Numerous commercial and Open Source applications use PHP making it one of the most popular languages on the Internet today. PHP can be likened to a tool, however, and a tool in unskilled hands can be misused. Just like a carpenter can use his hammers, and saws and so forth to make a shoddy building, so too, can a PHP programmer write shoddy, insecure code. There is nothing insecure (generally) in PHP itself, it’s in its use that it can make web pages (and the servers that serve them) insecure.

This article points to a couple of the more popular PHP packages on the web, and what can be done to secure them, and then briefly discusses some basic PHP coding techniques to be aware of when writing your own code.

First though, some general advice for any and ALL applications you use on your Web site.

Keep it up to Date
If you run third party applications you MUST subscribe to that packages mailing list (or regularly check its web site) for up to date versions. The developers of the more popular packages strive to keep their packages updated with the latest security fixes and improvements. This one point will save you hours of headaches should a hacker attempt to exploit your site. The VAST majority of hackers are not skilled enough to write exploit code themselves, so they scour the Net looking for the exploit code posted by the relatively small number of people capable of writing it, then wrap it up in a script and point it at your (and others) sites hoping for a successful exploit. And usually, when exploit code gets posted, so do the fixes (but not always).

Be Aware of Your Site
Make sure you keep up with your sites content and size. If overnight it’s doubled in size, you may have been exploited and now being used for warez or other things you didn’t intend (and be liable for!). Peer1 provides tools for you to do this easily via your control panel, or if you are more technical, can easily be done with a one line script. For example, under Linux, run : # du –cks /your/www/dir | tail –1 | mail me@myemail.com This is a simple example, more robustness can be added as you need.

Keep a Back-up of all Data
Make sure you have the latest copy of all your content, including any Database data, OFF the web server in question. Should your server be exploited, or even go down for mechanical reasons, having a backup will again save you hours of headaches. If your site is large enough, having PEER 1 do your back-ups is a service we offer.

Phpbb
PhpBB is the most popular Open source Bulletin Board (or FORUM) software on the Internet. It’s robust, extensible and simple to setup. But being the most used BB software on the Net, it’s rapidly become the primary focus of Hackers attempting to exploit its code in ways the coders and designers didn’t intend. PhpBB just had a code review for Security and is now much more secure than it was, so if you are not running version 2.0.18 (as of this writing) I highly suggest you do so.

Links: http://www.webmasterworld.com/forum103/274.htm offers a very good Best Practices list of security for PHPBB. If you run phpBB I suggest you read it.

PHP Language Secure Coding Practices
The place to start is here: http://www.php.net/manual/en/security.php

And this is of good note as well: http://www.php.net/security-note.php

Basically, the #1 thing you can do to secure your code is to validate your input from users. Simply, If you are expecting a Username in a field, make sure you are getting characters 0-9 and A-Z. Nothing else. The equivalent applies to Credit card #’s, etc. True secure coding practices is beyond the scope of this article, so if you are beginning to learn to code in PHP, take the time to learn to code securely.

Send this page to a friend.