How to ensure security of PHP application?

Started by ezhabchik, Sep 06, 2022, 02:36 AM

Previous topic - Next topic

ezhabchikTopic starter

Hello everyone, I am seeking advice on improving the security of my PHP application. Specifically, I have implemented various measures like using trim function to process fields and removing special characters from unnecessary fields, taking only originally conceived field length, and using mysqli binds for data validation. Despite this, I have noticed some attacks that attempt to perform SQL injections and spam requests, causing clogging of the tmp folder.

Although I have contacted the operator and they have turned on a filter to stop unwanted requests, requests from payment systems are also being blocked. They provided a list of IP addresses that send payment confirmations and claimed to have given it to the administration department, but there has been no response for days now. What would be your advice in such a situation?


Let's discuss some measures to improve the security of a PHP application. Firstly, the use of trim() function for processing fields is recommended but it has no direct relation to security. Secondly, it is not advisable to correct the input data by deleting special symbols. Instead, input data should be checked or processed and error messages should be issued in case of any discrepancies. Cross-site scripting (XSS) attacks are another concern and the output data should be filtered through htmlentities() function to remove tags and JS code.

When it comes to flood protection, cloud protection can be enabled but relying on web hosting can cause complications. The best approach is to optimize the operation of the web application and reject malicious requests at the entrance. A separate subdomain or domain with separate IP address can be used for billing requests to avoid server overload.

In using the htmlentities() function, it is important to remember that it only provides protection in ENT_QUOTES mode, and the backslash is not encoded. If a backslash is needed, it should be manually replaced with its HTML representation after processing the input. The input encoding must also be specified in the function call if working with a specific encoding like KOI8-R.


Cross-site request forgery (CSRF) attacks involve an attacker using various tactics to gain confidential information or carry out transactions without the victim's knowledge. These attacks are often successful on poorly protected sites that rely on GET requests for their business logic. However, GET requests should only be used to access information and not to carry out transactions since they are idempotent and can be accessed multiple times without interference.

An example of a CSRF attack is when an attacker sends a special URL or image containing a bad address to a logged-in user. If the user clicks on the URL or opens the image, the attacker can transfer funds or obtain confidential information without the user's consent. To prevent such attacks, POST requests should be used for processes that require changes to be made in the database and $_GET and $_POST should be used to extract relevant parameters.

Another effective measure is to generate a unique token and attach it to each POST request. The token should be generated randomly when a user logs in and stored in the session. It should also be written to a hidden field on all forms displayed to the user. The application's logic should then check the token from the forms against the token stored in the session to ensure authenticity and prevent CSRF attacks.


In a situation where you have already taken steps to improve the security of your PHP application but are still facing issues with SQL injections and spam requests, there are a few additional measures you can take:

1. Input Validation: Ensure that you validate and sanitize all user inputs, including form fields and query parameters. Use whitelisting or regular expressions to define and enforce strict input patterns.

2. Prepared Statements or Parameterized Queries: Instead of directly embedding user inputs into your SQL queries, use prepared statements or parameterized queries. This helps prevent SQL injection attacks by separating the SQL code from the data.

3. Security Audits: Consider conducting a security audit of your application's codebase to identify any potential vulnerabilities. Automated tools like static code analyzers can help detect common security weaknesses.

4. Rate Limiting and CAPTCHAs: Implement rate limiting on your application to prevent brute force attacks and limit the number of requests from a single IP address. Additionally, consider using CAPTCHAs to ensure that only legitimate users can access certain functionalities.

Regarding the issue with the payment system requests being blocked, it is important to continue communication with the operator and administration department. If you haven't received a response in days, try reaching out to alternative points of contact provided by the operator and emphasize the urgency of the situation. Ensuring that payment confirmations are not blocked is essential for the functioning of your application, and it is crucial to resolve this issue as soon as possible.