Spread The Knowledge

8 Security Tips For PHP Developers

Mahesh Dhaka CEO at WEBHOBS

PHP is one of the most popular server-side scripting language used by 82.5% websites of the world which platform is known. The newer version PHP7 makes it more appealing for developers. There is a myth that PHP is less secure over other programming languages.

PHP offers robust security but it's in the hand of developers to implement it correctly or not.

Let's begin the learning to make a secure application in PHP:-

1. Disable Remote Code Execution

Remote Code Execution can be used to breach the security of web application and many of the websites don't really needs to execute the code remotely so better we should disable the functionality.


Allow_url_fopen=Off
allow_url_include=Off

2. Disable PHP Errors

Errors convey the idea to developers that what coding mistake they are doing but at the same time it also convey the idea to hackers, to find out the right way for breaching security of website.


//By using  security.ini file
display_errors=Off

3. Disable Upload Files

Most of the websites don't use the functionality to upload the files through website interface so better let's disable this functionality.


//By using  security.ini file
file_uploads=Off

4. Disable Unnecessary Modules

We have a number of PHP module which can be used to perform various task but a particular website doesn't needs all of them.You can list all the available modules by using the command # php - m


//List the available modules
# php - m
// Now set the unnecessary modules off one by one

Setting the unnecessary modules off will improve the performance and security of the Web application.

5. Restrict PHP Information Leakage

By default, PHP provides all the information regards the platform and installed modules. We can control that by using the command expose_php at the file security.ini.


//Disable to expose the information regards platform
expose_php=Off

6. POST Size

Post functionality is used to send the date from one page to another one. We can limit the size of data by using post_max_size at security.ini


//Limited the size of data
post_max_size=1k

7. File System Access

The function fopen() can be used to access all the files of website but we can limit the access of fopen() by using open_basedir


//Limited the size of data
open_basedir="/var/www/html/"

8. Disable unrequired Functions

PHP comes with many of the function which are normally not required by the web application but can be used by hackers to breath the security of the websites. So let's put them into disable mode.


//By using php.ini file
disable_functions =exec,passthru,
shell_exec,system,proc_open,popen,curl_exec,
curl_multi_exec,parse_ini_file,show_source

Ask The Queries or Share Your Views

8 Reasons why PHP is best programming language for the web development

The Smackdown b/w Node JS V/S PHP

6 Benefits Of Using PHP 7

How To Send Email Using PHP

Difference b/w PDO and MySQLi

How To Secure Cookies In PHP

8 Security Tips For PHP Developers

6 Security Tips For PHP File Upload

5 Common Attacks At PHP Website

5 Tips to Speed Up Your Website