Wednesday 7 August 2019

What Every PHP Developer Needs to Know About Cyber Security

PHP which stands for Hypertext Preprocessor is a general-purpose programming language. According to W3techs Web Technology Surveys, at least 79% of websites of the web use PHP as the server-side programming language. In fact, it is way past Java, Ruby, and ASP.NET in market position as well.

Although PHP is a top-ranking and favorite programming language, it faces the same security challenges that everything digital faces. From virus programs to ransomware, websites and web applications built using PHP are not immune to cyber security threats.

Moreover, security is not child’s play either. It is complex, constantly changing and requires patience to set up and monitor.

If you are a PHP developer, you know what I am talking about.

The problem with PHP development is that the entry of barrier is literally zero. Anybody with interest in the framework can become a developer.

The newbies who join the PHP developer workforce are unaware of the risks caused by the mistakes that they make. In this article, I have outlined some such mistakes below:

Playing it easy with admin accounts

Any web admin who has been in the field for some time understands the critical nature of admin accounts. They are like the key a bank’s safety locker. Access to the admin account is all that a hacker needs to take down a website, or worse tweak it to their benefit. As a PHP developer, you must ensure complete security of the admin account before anything else. Do not provide admin access to everyone, keep it limited to certain person.

Not getting trained on cyber security

Cyber security is not something that can learnt once and be done with. Every single day hackers are inventing novel ways of breaking into a system and sneaking away with data. If you want to beat the odds of getting hacked, it is necessary that you get trained on cyber security. It is quite necessary to get SSL certificate when you develop any website in PHP language.

For instance, something very basic as configuring a Wildcard SSL Certificate can help to secure multiple sub domains of a website. Although the website might be small in the initial stages, the Wildcard certificate can help when the number of sub domains are scaled up.

Skimping on password protection

From the log in page to the admin’s account, passwords are the gatekeepers that let in authorized users and stop unauthorized users from gaining access. When PHP developers skimp on password security by allowing users to set weak passwords, they are creating a culture where cyber security is not encouraged. This leads to further cyber security incidents.

To make things easy for you and to do my bit in making the web a safer place for all, I have compiled a list of security best practices. Here it goes:

Update PHP regularly

Like every other CMS platform out there, the engineers at PHP also regularly update the platform. The latest version of PHP is 7.2.8. Studies have already proven that older versions of any CMS are susceptible to attacks and prone to being hacked. So, the first step that you can take towards securing your PHP-based website is to update it regularly.

There are tools that are available online that can help you see whether the version you are using has been deprecated or needs updating.

Some of them are:

Avoid Cross-site scripting (XSS)

Cross-site scripting is a security vulnerability which allows hackers to inject server-side scripts into website’s code. The malicious code allows the hacker to steal information that the user submits to the website. The risk is greater in websites like banking, account-based services and so on where the user’s credentials, account information, etc. could be of monetary value.

The safest bet you can take to prevent XSS is using filters for user input. In other words, you must sanitize every user input before passing it to the website’s server for processing. This would avoid any malicious code from getting into your system.

SQL injection attacks

As the name suggests SQL injection works by injecting malicious SQL codes into a code repository. This would enable the hacker to make a data-driven program to collapse or work in a manner as they desire. For instance, SQL injection attacks are often used to make PHP-based web applications reveal sensitive data like account details of an ecommerce store, personal information of users and so on. To avoid SQL attacks, you should Prepared Statements instead of dynamic SQL queries. Moreover, use of stored procedures that will add extra layer to database.

Hide files from browser

Your PHP web application would have several files that are required to make it run smoothly. These files are often stored on the backend of the application. There are specific frameworks for storing these files, which is not properly selected or configured would let the hackers find their way in to access the files. As a thumb rule, do not store the files in the root directory, instead but in a public folder where they are not easily accessible.

In a nutshell

Becoming a PHP developer brings with it several benefits. But all PHP developers must understand that it takes a whole lot of effort to keep data safe. The groundwork for this must be laid during the development phase itself when security and access controls can be configured proactively.

1 comment: