Make these mistakes and hackers will attack your web application using Cross Site Scripting, SQL Injection, Path Traversal, and other attacks to take over your website. Let’s review common mistakes and their prevention methods. 1- Echo user input Below code is enough to create a vulnerability in your website. XSS echo '<p>' . $_GET['name'] . '</p>'; // vulnerable to XSS Never directly use user input for generating response content. You have to use proper encoding on user input to escape any dangerous code. PHP has the build-in htmlentities() function to encode html special characters that you can use. echo '<p>' . htmlentities($_GET['name']) . '</p>'; // safe code Sometimes user input is used indirectly for generating a page. For example, user input might be saved in a database before being used in the response. 2- Using user input in file paths Generating and using file paths that contain user inputs is one of the most dangerous mistakes that can cause critical vulnerabilities like: Local File Inclusion Remote File Inclusion Remote File Disclosure Remote URL Inclusion Path Traversal Below code is an example of a file inclusion vulnerability. include $_GET['file']; // vulnerable to remote/local file inclusion To prevent file inclusion vulnerabilities: Resolve all relative paths containing and to absolute paths and make sure the final file is in the directory where it should be. ./ ../ Try to accept only whitelisted inputs whenever possible Check for invalid characters in the filename like null byte, questions mark, semicolon, etc. Do not include URLs starting with a scheme (http://, ftp://, etc.) 3- Concatenating SQL queries with user input Creating SQL queries using user input allows users to manipulate the original SQL command and inject their arbitrary command. This is called . Hackers can exploit SQL Injection vulnerability to execute commands like drop on the database or execute system commands. SQL Injection Example code: <?php $db = new SQLite3('products.db'); $id = $_GET['id']; // below line is vulnerable to SQLI $name = $db->querySingle("SELECT name from products where productId=$id"); // below line is not vulnerable $name = $db->querySingle("SELECT name from products where productId='" .SQLite3::escapeString($id) . "'"); echo $name ; It’s always a good practice to use prepared statements for creating SQL queries to prevent SQL Injection. Another method to avoid SQLI is to escape special characters in the user input (like the above example). 4- Executing user input Below commands in PHP allow execution of either PHP code or OS commands. eval() preg_replace() system() exec() passthru() shell_exec() Passing user input as arguments to the above functions can cause vulnerabilities where hackers can execute arbitrary commands on the server. Consider below code as an example: command execution $ip = $_GET['ip']; echo exec("ping $ip"); The above code is a ping service where users can ping any IP. If a user enters as an IP address then the command gets executed on the server. 1 & echo 123 echo How to prevent command execution vulnerabilities: Avoid using functions like , , … eval() system() Accept whitelisted inputs Check inputs for special characters like &, semicolon The popen() function can also be used for command execution indirectly. So be careful when using it. 5- Redirecting to user input Redirecting a user in PHP is common and easy. It can be done using below code. header('Location: ' . $_GET['url']); // vulnerable code But this is vulnerable! It can be exploited to redirect the user to any other website. To prevent , make sure the URL is not an off-site link before redirecting the user. open redirections 6- Displaying errors PHP errors disclose information like path/files, database errors, OS type, and some other information. Displaying any kind of PHP errors on production helps hackers to break into your website easier. But you still need to log and review PHP errors on the production server. So you should have errors reported but not shown to the user. error_reporting(E_ALL); // enable reporting of errors display_errors(true); // bad code for production, it displays all errors to the user display_errors(false); // safe for production usage, no error is shown to user 7- phpInfo() The function displays a huge amount of information. PHP version number, active extensions, configurations, and system paths are a few examples of such information. This information can be used by hackers to learn about the server and craft their attacks to be more successful. To avoid any information disclosure it’s better to never use the phpInfo() function on production servers. phpInfo() Conclusion Dealing with user inputs in PHP applications can be tricky and prone to different vulnerabilities. XSS, SQL Injection, and local file inclusion are a few of explained vulnerabilities related to user inputs. Make sure you have strict checking for user inputs and avoid using risky functions like eval() and phpInfo() to have a more secure code.
