Art Of Not Getting Hacked: PHP

Ensure that all your website software’s are updated. This simple but basic thing can help fix lot of known security bugs that’s discovered by the community or the software owner. When it comes to software try to check the OS of the software as well as if you used any software in your website, then must check it should be latest version, as outdated functions also become vulnerable for website.

Check if your hosting company update the server regularly. Sometimes they will offer that service as premium service or part of the hosting package, but this would be very helpful. If the server security is managed by hosting, company you should only take care of third party API or CRM, to check for the updates when any update releases.

To handle dependencies, developers who are using composer, npm and packages ensure that all dependencies are up to date and try to enable automated notification feature when any new updates are released.

SQL Injection attacks happens when the website form is submitted and passes parameters in the URL, hackers takes access and manipulate your database with malicious content and inject malicious script in the database. Because it is easy to modify your query and get access to delete or modify your data, but you can easily prevent this by using PDO connection because this feature is supported by all technologies. Parameterized queries are more secure then normal SQL queries.

Consider following query :

Select * from table_name where column_name = ‘”+ value +”’ ;
If attacker change the value like 1 = 1 , then the query changes and it will inject our database , query looks like :

Select * from table_name where column_name = ‘ ’ OR 1 = 1 ;
1 = 1 will allow attacker to add extra query at the end that is also execute with the current query and harm our data.

You can fix this issue by implementing PDO connection in our website, to execute the queries. PDO is parametrized query so no one can add extra stuff to the query so in this way you can prevent from SQL injection.

XSS stands for Cross Site Scripting and these attacks are common, which generally happens via comment box of blog and forum discussions. Attackers write malicious script and adding that to comment box and submitting that script. By using this script attacker can add unwanted data to the pages.

If the page with following code run in the browser and get the alert box with the text, (for example:- We got access…), it means your website are vulnerable.
For Ex:-

<img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" data-wp-preserve="%3Cscript%3Ealert(%E2%80%98We%20got%20access...%E2%80%99)%3C%2Fscript%3E" data-mce-resize="false" data-mce-placeholder="1" class="mce-object" width="20" height="20" alt="<script>" title="<script>

You can easily prevent from this type of attacks by using validation in comment box or discussion form, that is apply on client & server side validation which will sanitize your input then submit the user data. Another powerful tool in the XSS defender’s toolbox is Content Security Policy (CSP).
Use strip_tags() and htmlspecialchars() to sanitize input and output of the pages. With the help of this you will be secure from XSS attack.

Always try to validate your website by client side validation and server side validation. If we add both type of validation on websites it will be more secure. Browser can only check for client side validation, this is the validation that attacker can easily bypass. So for the security reason its recommended to add server side validation and try to make both validations as same. It will be difficult to bypass all the validations and we can create more secure webpages. Validations is considered as a backbone of any website, if we have secure validation then it’s impossible for anybody to reach to our database and harm our data.
For security purpose always use strong validations.

It’s strongly recommended to use HTTPS protocol instead of HTTP, as it provides security over internet. HTTPs takes care of your request and also make sure that nobody else can interrupt your request. If you are passing personal information over internet then its strongly recommended to use https protocol. Also if you have payment gateway on your site or having ecommerce site, then https protocol is almost a requirement.

Public key and signed certificate are required for https. In response, the client selects a connection method, and the client and server exchange certificates to authenticate their identities of request.

Following case where you can use https :

1. Banking website
2. Government data website
3. Payment gateway or E-commerce

CSRF stands for Cross-Site Request Forgery, it is known as one click attack, session over riding.

When a user is logged onto the website and if it’s not protected with CSRF, then hackers can override the user’s session and get access to their connection/session. With the help of sessions, hackers can add malicious content, phishing redirection and irrelevant stuff on the website.

To prevent from CSRF attack, generate random token and save it in session and add it in hidden field of your file then validate it on every request. For every request it generates news token and validate and if your token matches then only it will be submitted otherwise not. Because hacker don’t have access of token in hidden form field, so your request will be safe.

Always use framework like PHP (Laravel, CodeIgniter etc.) for your development as it provides in built support of CSRF.

Best practices:

1. Logout website when not in use
2. Use strong password
3. Shorten the time of remember me

Cookies are mainly used in website development for faster access when there are follow-up visits from users. After user accepts cookies, websites start loading faster as data is retrieved from stored cookies. But most of developers don’t know how to present or use the cookies in secured way. So, hackers can easily access cookies and replace them with bad content as you have not used secured cookies.

First of all, never use cookies for critical information, for ex. don’t use cookies to remember password, as hackers can easily detect this and can access your account.

Set the secure cookie for single domain like following :

setcookie( name, value, expire, path, domain, secure, http only);
// Open
setcookie( 'cookie_name', 'kuldeep', 0, '/', '.example', false, false);
// Locked your cookie for domain only
setcookie( ''cookie_name', 'kuldeep', 0, '/blog', 'www.cmsminds.com', isset($_SERVER["HTTPS"]), true);