The Most Prevalent PHP-Related Security Risks
Posted on Monday, Jan 25, 2010 in "Security Issues"
PHP is thought to be most useful programming language around, by many web developers. For this reason PHP use is becoming increasingly popular in corporate programming and building independent applications. While PHP scripting has the ability to create just about anything you’d like with it, the programming framework is not without it’s security flaws. There are hackers that know how to take advantage of the loopholes in PHP scripting, and they do so everyday through simple web platforms such as WordPress and Drupal. To prevent this from happening to you, you’ll want to know what the most significant PHP security lapses are so you can take the proper security measures.
Code Exploits
Sometimes hackers can use certain lines of code to request and retrieve information from your website. For example, the “allow_url_fopen” option allows users to request file functions such as “file_get_contents()”, which would in turn allow a perpetrator to retrieve sensitive data from your website via a remote FTP connection. If you PHP is configured with default settings, then this this function is still enabled, and you will need to manually disable it to keep hackers from executing code exploits on your website. Disabling this function will not take away from the functionality of your website at all, as it is not commonly used. If you do need to use it personally in the future, you can simply enable it as you see fit.
Risky Functions
Just as in the above situation, every risky PHP function should be disabled to prevent a similar scenario. There are three functions in particular that pose especially dangerous threats, and those are the “EVAL” “shell_ exec” and the “passthru” functions. Disabling these functions is simple, and can be done by making slight adjustments to the “disable_functions” values in the “php.ini” file. Disabling the EVAL function is actually vital, because it allows a user to request remote control of PHP coding on your website. If this is used in conjunction with another exploit, it can mean serious problems for you and your website. Before you disable these functions, it is a good idea to make sure they are not needed for any particular applications or plugins you are using on your website.
Unsafe Application Coding
The flexibility of PHP is what usually makes it easy for a hacker to breach the security of a website or server. The problem is that the security gaps are most likely not your fault, but rather they lie within the content management system you are using. Many of the applications that people use to make their website management easier, also make it easier for hackers to infiltrate their administrative interface. This is why it is important to make sure you are using only the most secure plugins and applications to manage your website. In all actuality, it is better to have less functionality than to have a severe security breach on your website. Try to keep the amount of plugins you use to a minimum, and make sure the plugins you use have very secure coding.
Responsible Programmers
Being a programmer is not a simple task, and there are many things to consider when creating an application. The problem is, there is so much to know, and not every programmer is up to the task of making sure their applications are fool-proof. In fact most of them only want to make an application that will have enhanced functionality and will be popular in the e-community. However, if you are truly serious about maintaining the security of your website then you will use applications that are developed by responsible programmers. This is the primary reason why corporations hire their own private programmers.
