Creating Secure PHP Application & Secure From Hackers


Step 1: Use Proper Error Reporting 

Amid the advancement procedure, application mistake reporting is your 

closest companion. Blunder reports can help you discover spelling botches in your 

factors, distinguish wrong capacity utilization and a great deal more. In any case, once 

the site goes experience a similar reporting that was a partner amid 

advancement can turn backstabber and enlighten your clients a great deal all the more concerning your 

site than you may need them to know (the product you run, your organizer 

structure, and so forth). 

Once your site goes live, you ought to try to shroud all blunder 

reporting. This should be possible by conjuring the accompanying straightforward capacity 

at the highest point of your application file(s). 

1  error_reporting(0); 

In the event that something goes wrong, despite everything you need and need to think about 

it. Hence, you ought to dependably try to log your blunders to a 

ensured record. This should be possible with the PHP work set_error_handler. 

Step  2: Disable PHP's "Terrible Features" 

From its most punctual days, PHP's fashioners have constantly incorporated a few 

elements to make improvement simpler. On the other hand so they thought! Some of these 

accommodating elements can have unintended outcomes. I call these "awful 

highlights" since they have permitted information approval bad dreams and 

made a pathway for bugs to discovering their way into scripts. One of 

the principal things you ought to do when the improvement procedure starts is 

cripple sure of these elements. 

Note: Depending on your host, these could conceivably be killed for 

you. On the off chance that you are creating all alone PC or other comparative neighborhood 

environment, they likely won't be killed. Some of these elements 

have additionally been expelled in the up and coming PHP6, however are omnipresent in PHP4 

applications and are just deplored in PHP5 applications. 

Enlist Globals (register_globals) 

To put it plainly, register_globals was intended to help quick application 

improvement. Take for instance this URL,, which incorporates a question string. The 

register_globals explanation permits us to get to the esteem with $var 

rather than $_GET['var'] consequently. This may sound valuable to you, 

in any case, tragically all factors in the code now have this property, and 

we can now effectively get into PHP applications that don't ensure against 

this unintended result. 

On the off chance that the application is running with register_globals ON, a client could 

simply put access=1 into a question string, and would then have entry to 

whatever the script is running. 

Lamentably, we can't impair register_globals from the script 

side (utilizing ini_set, similar to we regularly may), however we can utilize an 

.htaccess documents. A few has likewise permit you to have a php.ini 

record on the server. 

Impairing with .htaccess 

php_flag register_globals 0 

Impairing with php.ini 

register_globals = Off 

Note: If you utilize a custom php.ini record that is not relevant to the 

whole server, you should incorporate these revelations in each sub organizer 

that has PHP. 

Step : Protecting against SQL Injection 

Last, however not slightest, is a standout amongst the most understood security assaults 

on the web: SQL infusion. SQL infusion assaults happen when information goes 

unchecked, and the application doesn't escape characters utilized as a part of SQL 

strings, for example, single quotes (') or twofold quotes ("). 

On the off chance that these characters are not sifted through clients can abuse the framework by making questions constantly genuine and in this way permitting them to trap login frameworks. 

Bothersome login box being hacked 

Fortunately, PHP offers a couple instruments to ensure your database 

input. When you are associated with a sql server you can utilize these 

capacities with a basic call, and your factors ought to be protected to utilize 

in questions. The greater part of the real database frameworks offered with PHP incorporate 

these security capacities. 

MySQLi permits you to do this in one of two ways. Either with the mysqli_real_escape_string capacity when associated with a server: 

$username = mysqli_real_escape_string( $GET['username'] ); 

mysql_query( "SELECT * FROM tbl_members WHERE username = '".$username."'"); 

Then again with arranged proclamations. 

Arranged explanations are a technique for isolating SQL rationale from the information being passed to it. The capacities utilized inside the MySQLi library channel our contribution for us when we tie factors to the readied proclamation. This can be utilized like so (when associated with a server): 

$id = $_GET['id']; 

$statement = $connection->prepare( "SELECT * FROM tbl_members WHERE id = ?" ); 

$statement->bind_param( "i", $id ); 


One thing to note when utilizing arranged articulations is the "i" in bind_param. i remains for number however you can utilize s for string, d for twofold, and b for blob contingent upon what information we are passing. 

Despite the fact that this will ensure you as a rule, you ought to 

still remember legitimate information approval as specified beforehand. 


This short instructional exercise can just begin to expose what's underneath of web security. 

At last, it is up to designers to guarantee that the applications they 

construct are protected by instructing themselves about the risks of the web and 

the most well-known sorts of vulnerabilities and assaults. In the event that you wish to 

perused more about security issues in PHP, there is a segment on security in the php manual committed to them.