Let’s Talk About Secure PhP Code and Word Press (short read)
Let’s Talk About Secure PhP Code and Word Press:
What Is PhP Really?
To start off just in case someone reading isn’t familiar, let’s explain what PhP really is. PhP is essentially a server side scripting language used to give you control over your server, which is immensely important when it comes to dynamic web content. Its’ purpose is to place activity into web pages, static web pages typically don’t have much activity, so most don’t rely on php, straight html works for most static pages. PhP of course like any code, its’ quality or security will depend on the planning and developer, every developer will at some point have a vulnerability in their code.
Is PhP Common? Where is it used? What Vulnerabilities?
Wordpress is where php is most commonly used, wordpress is also a very popular throughout the entire world. Most of the vulnerabilities that occur in wordpress are caused by plugins and those plugins are mostly written in php. The main worry here seems to be cross site scripting. The main key is to make sure that any information inputted by the user is very and not simply trusted otherwise a user could escalate their privileges higher. This means that when coding, you should focus on the input initially. There are ways to make sure that the input data is safe such as escaping, validating and what is called sanitation.
Here is an example of an Escape statement:
1
<?php
2
//Do some stuff that makes sure it's time to write data to the browser
3
?>
4
Thanks for your order. Please visit us again. You ordered <?php echoesc_html($productName); ?>.
Validating Routine:
if(filter_var($address, FILTER_VALIDATE_EMAIL)){
2
echo "Email is valid.";
3
} else {
4
echo "Not valid.";
5
}
Sanitization:
//Remove all characters from the email except letters, digits and !#$%&'*+-=?^_`{|}~@.[]
2
echo filter_var($dirtyAddress, FILTER_SANITIZE_EMAIL);
These examples are pulled from the WordFence website.
These statements do exactly what they are named. The escape statement is the only one that doesn’t. It makes potentially harmful data safe. The validation routine is a statement that gives a condition under which the input is valid and the sanitization statement cleans up some data and returns the improved version to you. These are just a few tips toward writing more secure php. It also helps to have a better understanding of XSS (cross-site scripting). Look around "The Lab" to learn more.