Useful functions to provide secure PHP application
Security is a very important aspect of programming. There are many functions or modules in any kind of real programming language providing security functionalities In modern websites, we may often get inputs form users all around the world.There is a famous saying which says that never trust user input. So in web programming languages, we will often see functions which will guarantee the security of the data input from users. Today we will cover some of these functions in the most famous open source language - PHP.
In PHP, there are few useful functions which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc. Let’s check few useful functions available in PHP to tighten the security in your project. But note that this is not a complete list, it just list of functions which I found useful for using in your project.
1) mysql_real_escape_string() - This function is very useful for preventing from SQL Injection Attack in PHP . This function adds backslashes to the special characters like quote , double quote , backslashes to make sure that the user supplied input are sanitized before using it to query. But, make sure that you are connected to the database to use this function.
Currently mysql_real_escape_string() is not recommended to be used anymore, all new applications should use libraries like PDO to perform database operations, we can use prepared statement to refrain away from the SQL injections.
2) addslashes() – This function works similar as mysql_real_escape_string(). But make sure that you don’t use this function when “magic_quotes_gpc” is “on” in php.ini. When “magic_quotes_gpc” is on in php.ini then single quote(‘) and double quotes (“) are escaped with trailing backslashes in GET, POST and COOKIE variables. You can check it using the function “get_magic_quotes_gpc()” function available in PHP.
3) htmlentities() – This function is very useful for to sanitize the user input. This function converts the special characters to their html entities. Such as, when the user enters the characters like “<” then it will be converted into it’s HTML entities < so that preventing from XSS and SQL injection attack.
4) htmlspecialchars() -- Certain characters have special significance in HTML, and should be represented by HTML entities if they are to preserve their meanings. This function returns a string with these conversions made. For example, '&' (ampersand) becomes '&'
6) md5() – Some developers store plain password in the database which is not good for security point of view. This function generates md5 hash of 32 characters of the supplied string. The hash generated from md5() is not reversible i.e can’t be converted to the original string.
This function now is not considered as safe because there are open databases which can be used to reverse checking the plaintext of a hashed value. You can find a list of MD5 hash database here.
7) sha1() – This function is similar to md5 but it uses different algorithm and generates 40 characters hash of a string compared to 32 characters by md5(). And one more note is that don't forget to put the salt, otherwise your life will be salty.
8) intval() – Please don’t laugh. I know this is not a security function, it is function which gets the integer value from the variable. But you can use this function to secure your PHP coding. Well, this function is most frequently used when you want to parse some value of integers such as ids, ages etc.