|
|
|
|
|
|
|
Calgary Software Application and Web Development Articles |
Some Tips For Php Developers
PHP is one of the most popular programming languages in the world, PHP
is a programming language for dynamically built web sites. Security
should be a top concern throughout the development of any PHP web
application. There are some very simple measures you can take to protect
your application from potential abuse.
PHP is arguably the most
powerful of all open-source programming languages. No longer used
solely for web pages, it is becoming an increasingly popular tool for
stand-alone programs and corporate applications. Despite all its power
and flexibility, the PHP framework is far from secure. The countless
number of successful hacks on popular web applications such as Drupal,
Joomla and Wordpress serve as solid evidence. In this article, we will
go over some of the most significant security issues to help strengthen
your shared, VPS or dedicated hosting environment.
Dangerous PHP
Functions
All potentially dangerous PHP functions should be
disabled and never used unless absolutely necessary. Three that pose
the biggest threats to security are "passthru", "EVAL" and "shell_
exec." These functions can be disabled by editing the
"disable_functions" value in the "php.ini" file. EVAL is perhaps the
most vulnerable of all because it enables the execution of remote PHP
code. If used in conjunction with an insecure global value, this
particular function can result in a potentially catastrophic security
breach. Because applications such as ImageMagick require shell_exec,
you should perform some research to find out which functions are
required before disabling them.
Remote URL Injection
When
enabled on a server, the "allow_url_fopen" option permits file functions
like "file_get_contents()", which could allow data to be retrieved from
locations such as a remote website or FTP connection. Since a standard
PHP configuration has this function enabled by default, it is highly
recommended that it be manually disabled to prevent potentially
dangerous code exploits. allow_url_fopen is very rarely used, thus, you
should be able to disable it and still enjoy the full functionality of
your website.
Insecure Code
There are many aspects that
make PHP one of the most flexible platforms for web development.
However, it is this very flexibility that often results in security gaps
that can lead to a compromised server or website. This is especially
true with the widely used web programs coded in the PHP language. Some
of today's most popular content management systems have bugs and
security holes in the supported plugins and even the core code itself.
For this reason, you should make it a priority to run the most recent
and secure versions of PHP scripts and remain weary of plugins and
modules. In fact, unless their functionality is truly needed, you
should try to keep your web application platforms simple with as few
extensions as possible.
Conclusion
Programmers these days
are faced with significant challenges due to the fact that the list of
potential PHP security issues is rather extensive. Even worse, the list
continues to expand with the release of each new version. That is why
it is a developer's job to take the necessary steps to ensure their
code is secure as possible. This can be done by smart coding, only
using necessary functions and using updated PHP scripts. In addition,
better protection can be assured by doing business with a hosting firm
who makes security a priority. In order to give you secure environment
for PHP projects, their hosting platform must be properly configured.
The combination of an inadequate PHP/web server is one of the major
causes of successful security breaches.
Find Programmers VietNam and more useful
information about outsourcing, offshoring on Software Outsourcing.
|
|
|
|
|
|
|
|
|