How can we increase security using PHP

It's not hard work because there are many  built-in methods in PHP which provide security  in PHP. But to use these methods, you must use the high versions of PHP.

Importance of establishing security in PHP:

One of the most important things that all  web designers consider  is the security of web pages. Especially in interactive web pages where users can send information to web servers, we need to use security solutions to control fake users. Fortunately, designers who use higher versions of PHP (above 5.6) to design their pages can provide the required security because there are built-in tools for  providing security in PHP  in new versions of this language that did not exist in previous versions. New features have been added to simplify creating security for web page designers. So always try to use the latest PHP versions.

A careful review of the information entered in the forms:

One of the ways to penetrate the sites is to send malicious information and codes to the site server through the forms available on the website. Therefore,  web designers must be very sensitive  to the design and analysis of these forms and impose certain restrictions on the entry of information in the documents and their submission to avoid falling into the trap of hackers.

It is better to limit the options for entering information in the forms to acceptable alternatives, and even if you do this, consider the possibility of abuse by some users.

Therefore, it is better to consider the principle of minimum points and give each website uses only the necessary permissions.

Do not display error messages:

Another way to increase the security of web pages is to prevent error messages from being displayed because error messages can be used as clues to identify  the structure of your site  and reduce the security of your site. By default, "display_er" is enabled in the "php.ini" file, which you must disable.

Do not use default names:

One of the ways you can increase security in PHP is to not use simple or default names for naming your files and directories.

Determine types of numbers you want to receive in SQL exactly:

In addition to the security points in PHP code, it is better to follow this issue in SQL code that is used along with PHP code. For example, in the following code, security methods are used in the input.

In this code, you specify the type of number received in the SQL command of the query generator and increase the security level.

Fighting attacks:

There are specific attacks that some users may want to use to compromise the security of a website. Here are some  types of attacks  and ways to deal with them.

Cross-Site Scripting attack:

This type of attack is one of the most common attacks on web pages, and usually, malicious code or script is injected into the website. This malicious code replaces part of your code and thus steals your information.

The hacker can use this code to take control of the program and access your cookies, meetings, and other important information.

You can counteract this attack using the "htmlspecialchars" function. In this function, if the hacker inserts a script or malicious code instead of the information you want, it just converts it to non-executable text and disables and neutralizes it. The general form of this function is as follows:

string htmlspecialchars (string $string [, int $quote_style [, string $charset [, bool $double_encode]]))

As you can see, this function has four arguments. The first argument, or string, specifies the string we want to convert to reserved HTML characters.

Flag argument: Instead of this argument, one of the following defined constants can be put:

- ENT_COMPAT:

The double quotation character is converted to reserved HTML characters using this constant.

- ENT_QUOTES:

Converts single quotation or double quotation characters to reserved html characters.

- ENT_NOQUOTEST:

This character does not convert quotation marks.

- ENT_IGNORE:

This constant ignores non-string characters.

- ENT_SUBSTITUE:

replaces invalid Unicode characters.

The charset argument: Specifies the encoding such as utf8 and so on.

Consider the following example.

Suppose we send a user name in a textbox called name, send it with the GET method, and print it with the hello message in the browser.

Usually the code is written as follows:

Attack by SQL code injection method:

This method is usually used to make queries on the database using SQL codes. In this negative way, the hacker tries to modify the query codes and steal information from your database or even destroy your entire database. In fact, you need ways to preserve your  database security in PHP  in this state. The hacker tries to enter the desired SQL code into the server and execute it on your database using the data entry forms that you have placed on the web page.

To prevent these attacks, you can use solutions such as using the PDO method to communicate with the database and run queries on it. You can also filter incoming information and prevent malicious codes from entering. Another way is to escape specific MySQL characters. Using a function called "mysql_real_escape_string," you can delete the SQL commands that the hacker wants to inject into the database.

The above codes receive the student number from the user and show him the related information. If the user enters the information in the input as shown below, the SQL code may penetrate the database and delete all the information in the database.

Session Hijacking:

As we know, information about users who send requests to the server is stored in a location on the server in the form of a session. In fact, the server can use the information in the session, including id, to separate users and send the appropriate response to each user. In hijacking a session, the hacker tries to change sending the correct answer to the users by accessing the sessions. This type of attack can be done through an  XSS attack.

To prevent this type of attack, connecting the session to your IP address is better.