Whether your site is the web presence for a large multinational, a gallery showing your product range and inviting potential customers to come into the shop, or a personal site exhibiting your holiday photos, web security always matters. No matter what programming language you use to develop your site, after all the hard work you put in to make your site look good and respond to your users, the last thing you’d want is for a hacker to come along and somehow ruin it.

Security shouldn’t be a matter of personal preference but a necessity to everyone. It is necessary to protect your personal information, your company’s information but most importantly other people’s information. If you are an organization, then you have no other option than to comply with strict regulations to avoid fines, penalties, and damage to the brand’s reputation. Hackers take advantage of vulnerabilities in software to exfiltrate sensitive data which can be used to demand ransom, sold to third parties, or exposed online.

Additionally, in 2017 we have seen the formation of the largest botnet clusters in history which performed the largest DDoS attacks. Hackers search for every possible way to automatically “recruit” computers, servers, and IOT devices. To achieve that they launch large scale scans to discover vulnerable targets to exploit. Web applications are one of the main targets for two reasons. The first one being that not only are they full of vulnerabilities but also directly exposed to the internet, and the second is that access to the underlying server equals access to big resources. Servers typically run on powerful hardware and high speed/bandwidth connections which is perfect for pivoting. Even if they do not grant access to the underlying OS, hackers will commonly take advantage of vulnerable web applications to host and deliver malware. It is predicted that in the next years these kinds of attacks will increase dramatically.

In this series we will focus on PHP, the world’s most popular (Server-side) Web Programming Language. According to W3Techs, as of November 2017, 83% of the websites are powered by PHP. Among those websites are Facebook, Yahoo and Wikipedia. Since PHP is so popular, the number of vulnerable web applications is large. Finding a web application which does not share part of a code/script with another is rare. That means that if the shared piece of code is found to be vulnerable, all the applications which are using it are also vulnerable.

Like other programming languages, PHP can be exposed to a number of vulnerabilities – this mini guide examines some of the problems that should be considered every time you set out to write a PHP script so you can ensure your site is secure. These are the problems which, with well-written code, can be effectively mitigated.

This series on PHP Security will take a moment to define the problems themselves, starting off with SQL Injection – one of the most dangerous vulnerabilities a web application can be prone to. Here we shall also be examining some examples of insecure PHP code that could lead to a SQL Injection vulnerability.

Read Part 1 in the series on PHP Security: PHP Security Mini Guide – SQL Injection

Agathoklis Prodromou
Web Systems Administrator/Developer
Akis has worked in the IT sphere for more than 13 years, developing his skills from a defensive perspective as a System Administrator and Web Developer but also from an offensive perspective as a penetration tester. He holds various professional certifications related to ethical hacking, digital forensics and incident response.