PHP Security

The PHP language is very widely used today and there are many sources of information about how to create secure PHP code. The new ICCA web site uses PHP and has employed all the various security requirements wherever possible. The new web site also uses MySQL database which requires another level of protection at the PHP level avoiding security holes. The new web site is also an electronic commerce web site which requires an overarching understanding of security protecting client credit card information. This article will only briefly outline how these security techniques have been addressed without going into details or setting expectations creating a hacker paradise for those so inspired.

First, the most important security feature used in the new ICCA web site is that every PHP file ends with the PHP extension, not PHP for the landing pages and an INC for the included PHP classes. This is a common mistake made by beginners, without the PHP extension, it is possible that the non-PHP extension files could be returned thus revealing the source code, hackers loves this.

Next, the basic directory of the PHP source structure avoid access control flaws and limits the ability of directly accessing the included PHP class source files avoiding a possible direct access of what should be included by another PHP file. A review of the web log sees many attempts by hackers to access mysql.php, database.php, secure.php, and many others. This common technique could reveal secure information that gives hackers hints at what next to do to break into a web application.

No file is PHP included, using include() or require(), directly from user input, there is always a lookup table ensure the contents are allowed and available. There is no execution of OS level commands throughout the system. All PHP variables are scoped and there is not automatic global registration using PHP register_globals = on.

Continuing, the limiting of the number of unique landing pages makes breaking into site harder forcing a hacker to attempt different variables in the HTTP GET URL or through the HTTP POSTing. Avoiding un-validated input errors, all the variables are checked creating a context for each variable limiting the number of options and making it harder at guessing the variable names and values. All variables are also checked for correctness by means of adding quoted strings, PHP commands, shell commands and SQL injection.

Following up on the SQL injection, when the higher level PHP classes do access the database, the lower level MySQL class ensures that variables are correct. When an integer is expected, the PHP code uses an intval() method. When an string is expected, the extra quotes are escaped and the string is run through the mysql_escape_string() method.

There is extensive logging used throughout so that every HTTP POST is logged allowing for a complete audit trail of every form based activity on the web site. The PHP set_error_handler() is used extending the the logging capability continuously identifying possible failures in the PHP code itself. Exceptions are used at the lowest level catching errors that the higher level classes can deal with simply without extensive knowledge of the detail of the failure.

All web forms that capture secure information are forced through the secure socket layer ensuring that no secure data can be observed, especially credit card information. All credit card information is securely maintained and not available for any HTML page unless secured with XXXXX1234 protection. The integration with the PayPal credit card transaction is handled through a secure socket layer interface.

The aggressive use of defensive PHP programming makes the new ICCA web site more stable and less prone to attack. The use of logging makes identifying attacks, possible attacks or overlooked vulnerabilities much easier, and the log files are reviewed regularly.

There may be weaknesses in the ICCA security frameworks, no software is perfect, new flaws are found in the most obscure places. For now, the new ICCA is a safe place to do business. In the future, it will only become safer especially with the mileage that time offers.