PHP Security and Encryption Introduction

PHP Security and Encryption

Introduction

Web application security is an important topic that attracts attention from both the developers who create web applications and the attackers who try to exploit them. As a PHP developer, your applications are sure to be the target of many attacks, and you need to be prepared.

A large number of web application vulnerabilities are due to a misplaced trust in data provided by third parties. Such data is known as input, and it should be considered tainted until proven otherwise. If you display tainted data to your users, you create cross-site scripting (XSS) vulnerabilities. Explains how to avoid these by escaping your output. If you use tainted data in your SQL queries, you can create SQL injection vulnerabilities. Shows you how to eliminate these.

When using data provided by third parties, including the data provided by your users, it is important to first verify that it is valid. This process is known as filtering, and Shows you how to guarantee that all input is filtered.

Not all security problems can be solved by filtering input and escaping output. Session fixation, an attack, causes a victim to use a session identifier chosen by an attacker. Cross-site request forgeries, a type of attack, cause a victim to send a request of an attacker’s choosing.

Closely related to security is encryption, a powerful tool that can help boost your application’s security. Just like any other tool, however, it must be used properly.

Encryption scrambles data. Some data scrambling can’t be unscrambled without unreasonable amounts of processing. This is called one-way encryption or hashing. Other encryption methods work in two directions: data is encrypted, and then it’s decrypted.

PHP supplies tools to encrypt and secure your data. Some tools, such as the pass word_hash() function, are part of PHP’s base set of functions, and some are extensions that need to be explicitly included when PHP is compiled (e.g., mcrypt, mhash, and cURL).

Discusses using password_hash(), which lets you securely hash a password for storage.

mcrypt is a more full-featured encryption library that offers different algorithms and encryption modes. Because it supports different kinds of encryption, mcrypt is especially helpful when you need to exchange encrypted data with other systems or with programs not written in PHP. mcrypt is discussed in detail.

PHP gives you the tools to protect your data with robust encryption, but encryption is just part of the large and often complex security picture. Your encrypted data can be unlocked with a key, so protecting that key is very important. If your encryption keys are accessible to unauthorized users (because they’re stored in a file accessible via your web server or because they’re stored in a file accessible by other users in a shared hosting environment, for example), your data is at risk, no matter how secure your chosen encryption algorithm is.

Sensitive data needs to be protected not only on the server, but also when it’s traveling over the network between the server and your users. Data sent over regular HTTP is visible to anyone with access to the network at any point between your server and a user. Discusses how to use SSL to prevent network snoopers from observing data as it passes by. For a complete discussion on securing PHP applications, read PHP Security by Chris Shiflett (O’Reilly).