12 August 2015

5 PHP Techniques to Minimize Web Security Vulnerabilities


Understanding the security of websites is mostly difficult for beginner developers. The simplest way to explain this school of thought is that a website is neither secure nor insecure. It is actually the rate of how much a website is secure. Data breaches are on the rise, and no organisation is safe. At Keller Lenkner UK, expert data breach solicitors help clients make successful data breach claims across a huge range of sectors. There is no black and white in website’s security; there is always gray area. The security of a website developed on PHP depends on the skills of the developer.

According to https://www.sapphire.net/ almost 90% of all the websites are vulnerable to the hackers’ attack. Cyber threats are always evolving. To stay on top of emerging trends an organization must be innovative and informed, this takes a lot of time and effort. According to indexsy maintain those capabilities in-house requires a lot of resources. Utilizing a company that specializes in security is more effective as you have access to an entire team of experts that will allow your team to focus on other business related tasks

A majority of the websites were hacked in last five years by targeting the website’s insecure coding. Common attacks are made on SQL Injection, Buffer Overflow, XXS and Remote File Inclusion. This is one of the reasons that most of the entrepreneurs want their websites to be developed on PHP.

But sensitive information can also be stolen from PHP developed websites by manipulating the URL parameter. Some common reasons of easy PHP hacking include mistakes in snippets, surprise input string or wrong combinations of PHP settings.

PHP Functionalities for Identifying Security Scripts

1.The programmers can send email through PHP script. If changes are made in the script or if the script is poorly coded, the mail server will automatically send a fake email to the programmer by fetching some information from the header. The fake email might look something like this.


$header = ‘From: ‘ . $_Get[‘from’] . \’’r\’’n\ .
‘Reply-to: . $-Get[‘replyto’] . \’’r\’’n\ .
$Mail = mail($_Get[‘to’],$_Get[‘Subject’],$_Get[‘Message’],$header);


2.The hackers can access to root directory of server and damage the files by targeting the Web applications and launching an unauthorized operating system command. The input information is passed through GET or POST script. The hacker enters the domain name and malicious files are created in the www directory of server as filename.php. This attack is easily launched on poorly written PHP codes.
3.Remote File Inclusion attack is launched on poorly written web application codes or if the developer has enabled file inclusion on the server. The Remote File Inclusion attack is launched by interfering with ‘include’, ‘require’, ‘include_once’, and ‘require_once’ statements. In the previous PHP versions, the developers had the authority to enable or disable ‘allow_url_include’ to enable include, require, include_once and require_once functions. In PHP 5.2.0 Vulnerable script, allow_url_include is enabled by default.

4.One of the most common attacks is launched on error messages by Web Applications. The attackers trick these applications to reload or return with disclosed sensitive information. This attack is done to plan the major web hack attack.
5.Another common attack is made on php.ini file where most of the web configuration settings are stored. The vulnerable script is as follows.


$incfile = $REQUEST[‘’file’’];include ($incfile.’’.php’’);


5 Techniques to Minimize Web Security Vulnerabilities

For avoiding common attacks on PHP developed websites and web pages by the hackers, here are some easiest techniques to make the web a safer place for all.

1.Restrict Foreign Access

The first step to restrict the foreign access is to manage the configuration files, data files and scripting pages separately. The following script can be used in the Apache server in httpd.conf files.

 <Files ~ ‘’\.inc$’’>

 Order allow, deny

2. Select Correct Form Submission codes

GET and POST are the most common form submission techniques used in PHP coding. GET method is set to settings by default. If you use the GET form submission method, the hacker can easily interfere with and manipulate the exposed query string portion in the URL. It is highly recommended that GET form submission method should be used in less important web pages with no sensitive information only. Otherwise the developers should choose HTTP POST form submission method for improved web security.

3.Configure PHP.ini

Prevent the most common hacking attack by configuring your php.ini files. PHP.ini is used to register Cookie, Server, GET and POST and can be manipulated with the help of global variables. Different ways used to secure the php.ini files are here.

  • Hide configuration files and restrict access to them.
  • Scrutinize the uninitialized global variables by readjusting the error reporting to E All | E STRICT or E ALL.
  • Enable safe_mode in the configurations and open base-dir restrictions in server directory.
  • In php.ini, set allow_url_fopen to 0 for disabling it.

4. Secure Input Programming Data

Input validation security is the technique to defend against injection attacks and buffer overflow attacks. Correct syntax, length and time of programming data is used to scrutinize first use and numerically validate string content. The following script helps prevent direct input to the statements.

 If(!ctype_alnum($_GET[‘login’])) {echo ‘’Only A-Za-z0-9 are allowed.’’;}

If(!ctype_alpha($_GET[‘captcha’])) {echo ‘’Only A-Za-z are allowed.’’;}
$If(!ctype_xdigit($_GET[‘color’])) {echo ‘’Only hexadecimal values are allowed.’’;}

Type Casting variables are also used in the Casting technique for PHP to secure input data programming from uncontrolled external sources.

5. Prevent Error Disclosure

Crashing, error or any relevant event may disclose the unnecessary information and as described earlier, it can be translated or tricked into sensitive information disclosure by the hackers. By default, PHP sends information regarding error so that the end user can develop an immediate and corrective response. In case of error or crashing, information like password, uninitialized variables and file path may also be revealed to malicious users. The logging settings and error functions can be fixed with the help of following code.


Ini_set("log_errors"),TRUE; .

For restricted control panels, use unique names instead of obvious names. Also, disallow the directory listings with the help of following code.

  • For disabling PHP identification header


  • For disabling Apache identification header


With the help of aforementioned codes, your PHP developed websites and web pages can be easily secured. Hacker attacks not only disclose the sensitive information but also cause damage to the system, reveal confidential files, result in loss of services and ruins the reputation of your business. Securer coding is essential to prevent these losses and grow as an exceptionally professional web developer and engineer.

By Manmeet Anand

Manmeet singh is a SENIOR SOFTWARE ENGINEER with TIS India Business Consultants Pvt. Ltd. since the last 6 Years. He is a programming geek who spends most of his time developing web applications , enhancing user experiences and creating usable softwares. He has helped many overseas clients come out of the project management nightmares by comprehensive requirement analysis and ensuring timely delivery of projects.

Recent Article

You May Also Like