PHP Security: Common Vulnerabilities and Tips to Avoid Attacks


There are a number of common vulnerabilities within a PHP website that attackers can exploit. If you’re a PHP website developer working with sites that contain sensitive or financial information, it’s important to know about these vulnerabilities and the preventative measures you can take to avoid them. In our PHP Security training course, expert instructor Doug Bierer highlights some of these common vulnerabilities, which include:

Predictable resource location – According to the Whitehack Website Security Statistics Report (WWSSR), this weighs in at 8% – the percentage likelihood that at least one serious vulnerability will appear in a website. To try to prevent this, you can go into the setup folder in phpMyAdmin and change all of the default settings.

Mishandling file uploads – There are a few things you can do to secure file uploads. The first would be to set the file uploads to 0 or off. Also, you can change file upload configuration options, such as controlling where the files are uploaded to, specifying the nesting level and number of input variables that are allowed, and dictating the upload maximum file size and total number of file uploads that are permitted in one request cycle.

Insufficient authorization – This means that you are allowing access to certain portions of the website without checking the credentials. It weighs in at 11% on the WWSSR.

Improper access controls – This involves the incorrect handing and storage of passwords. It is important to have users change their passwords on a regular basis. As for storage, passwords are generally stored as plain text. Changing the way the passwords are stored will help make this aspect more secure.

Unplanned information disclosure –This is where attackers will probe your website to try and discover error messages and other accidental pieces of information that you may have forgotten exists. To try to prevent this, you can go into your php.ini settings and make sure the error reporting setting is set as high as possible. The reason for this is because you want to make sure you log all possible errors, which means the log errors setting should be set to 1 or on.

Whitehack Website Security Statistics Report

Whitehack Website Security Statistics Report

In this post, we’ll be focusing on how you can protect your PHP-based website against two common vulnerabilities: predictable resource location and mishandling file uploads. We’ll cover the other three common vulnerabilities in a later post.

Predictable Resource Location:

To protect against predictable resource location, Doug outlines a number of preventative measures you can take to help secure your website. First, he recommends changing all open source defaults. For example, in the phpMyAdmin, you should stay away from obvious names for usernames or roles, such as admin, database column names like user and password, and directory paths. Also, in your php.ini settings, one easy security measure you can implement is changing the parameter, because chances are any future attacker already knows the default session identifier. Other settings you should change include the date.timezone and default.charset setting. Finally, some php.ini settings that should NOT be set include the mysqli.default_user and mysqli.default_pw.

Mishandling File Uploads: 

When uploading files, there are a number of safety measures that should be taken. First, you need to specify a target location – this should be a path that is in a known safe location that is under your control. Next, there are some php.ini settings that affect where the file will be uploaded to temporarily, such as upload_tmp_dir, and parameters such as upload_max_filesize that controls the maximum size of the file. Also, some basic safety checks include checking the error condition and using the is_uploaded_file function to test to make sure that it is an uploaded file. Then sanitize the file name, which is represented by the [“name”] parameter. Finally, you need to move the file to a secure location by build your own directory path – do not rely on user supplied information. Use the move_uploaded_file function to do the move for you.

One last consideration: remember, you have no control over what’s actually inside the file, so you might want to consider extra measures such as periodically scanning the upload folder for files that contain viruses.

These are just two precautionary methods you can do to protect your PHP-based website from an attack. Stay tuned to learn more about the other three common vulnerabilities that are highlighted in our PHP Security training course and how you can take preventative measures against them. For now, watch Doug demonstrate predictable resource location and mishandling file uploads in the full lessons below.




Save $50 when you sign up for an annual Learning Library account Learn More