How to improve the security of our applications in PHP?

If you usually read all our articles, you will have seen that we usually refer to passwords , although we do it with content like “How to recover your Facebook password?”, or things like that, in this case we are going to refer to a topic a little deeper but interesting.

That is why making a website is important but keeping it secure is a priority, therefore, securing web applications from all kinds of forged attack attempts is the main duty of a web developer. How to Improve the Security of Our Applications in PHP,  a tool that you can download to your computer.

You should make your web applications protective enough that they do not have security issues or loopholes, thus eliminating the possibility of any malicious attack.

In most cases, developers should take responsibility and make every effort to identify vulnerabilities and propose solutions to address problems with applications.

Index(  )

  1. What is the PHP language?
  2. How to improve the security of our applications in PHP?
    1. Cross Site Scripting (XSS)
  3. SQL injection attacks
    1. XSRF/CSRF Cross Site Forgery Request
    2. What is a session hijack?
    3. Hide files from the browser
  4. Generate random passwords in PHP

What is the PHP language?

PHP is a popular language for web development . It is so popular that in some cases companies run few rewards programs.

In these they invite different security experts to analyze their application from the core and suggest critical PHP security best practices like generating forms with dynamic listings .

How to improve the security of our applications in PHP?

It is important to Update PHP regularly , At the moment the latest and most stable version of PHP available is PHP 7.3.6. I recommend that you upgrade your PHP applications to this new one for safety.

If you’re still using PHP 5.6, you’ll have a lot of frowns when upgrading your PHP applications. You will also need to update your code and change some functional logic like password hashing etc.

There are also some tools available to check for deprecation of your code and help you migrate them. I have listed some tools below:

  • PHP 7 MAR
  • phan
  • If you are using PHPStorm, then you can use the PHP 7 Compatibility Inspection, which will show you what code will cause you problems.

Cross Site Scripting (XSS)

Cross- site scripting is a type of malicious web attack in which an external script is injected into the code or output of the website.

The attacker can send the infected code to the end user , while the browser cannot identify it as a trusted script.

This attack occurs primarily where the user has the ability to input and submit data. The attack can access cookies, sessions and other sensitive information about the browser.

You can solve this attack using htmlspecialchars. Also when using ENT_QUOTES, you can escape single and double quotes.

Meanwhile, XSS attacks can also be executed via attributes , hardcoded URI schemes, and code scrambling.

SQL injection attacks

SQL injection is the most common attack on PHP scripts . A single query can compromise the entire application. In the SQL injection attack.

The attacker attempts to alter the data that you are passing through queries. Suppose you are directly processing user data in SQL queries, and suddenly, an anonymous attacker secretly uses different characters to bypass it.

Username $ may contain tampered data that can damage the database , including deleting the entire database in the blink of an eye.

So what is the solution? PDO. I recommend that you always use prepared statements . PDO helps you secure SQL queries.

XSRF/CSRF Cross Site Forgery Request

It is quite different from XSS attacks. In the CSRF attack, the end user can perform unwanted actions on the authenticated websites and can pass malicious commands to the site to perform any unwanted actions.

C SRF cannot read the request data and mainly addresses the state change request by sending any link.

Also changed data in HTML tags. You can force the user to make status change requests, such as transferring funds, changing their email addresses , etc.

What is a session hijack?

Session hijacking is a particular type of malicious web attack in which the attacker secretly steals the user’s session ID.

That session ID is sent to the server where the associated $_SESSION array validates its storage on the stack and grants access to the application.

Session hijacking is possible through an XSS attack or when someone gains access to the folder on a server where session data is stored.

Hide files from the browser

If you have used PHP micro-frameworks, then you must have seen the specific directory structure that ensures correct file placement .

Frameworks allow you to have different files like controllers, models, configuration files (.yaml), etc. in that directory, but most of the time the browser does not process all the files.

However, they are available to view in the browser. To solve this problem, you should not put your files in the root directory but in a public folder so that they are not accessible all the time in the browser.

Very well, we have already touched on the subject of how to protect our web page with PHP and how to improve its security, now we will talk about how to generate random keys or passwords with this same tool.

How to Generate Random Passwords Using PHP

However, we know that many users’ problem is not really about how to recover their passwords, which they know how to do perfectly, but that they want to know how to generate more reliable passwords .

In this sense, we have to say that practically all the Internet sites and platforms that we use on a day-to-day basis force us to enter a password, and for this reason we place less and less emphasis on its security , betting on remembering them easily.

For this reason, and given the number of inquiries received in this regard, below we want to show you a trick to generate random passwords in PHP in a very easy and fast way, so that you always have a new one at hand.

Generate random passwords in PHP

Well, at this point you have to know that next we are going to offer you two different methods for generating passwords, one of which is very simple, and another that has some additional complications, although it generates more secure passwords.

Well, the first of the methods could be this:

substr(md5(uniqid()), 0, 10);

Here you have to keep in mind that we are in the presence of a formula that can get us out of trouble , since in just a few seconds it will be able to generate a password that works for us on almost all devices and platforms.

We can see that it uses several PHP methods to generate the password, including some of the most common functions of this language , which goes without saying that it is not suitable for everyone.

The small drawback of that first trick that we have mentioned is that, in certain cases, the resulting password may not be as secure as it should be, and it is in those cases that you should bet on this second solution :

<?php function generate_complex_password($long){
$base_string = ‘ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz’;
$base_string .= ‘0123456789’ ;
$base_string .= ‘ !@ #%^&*()_,./<>?;:[]{}\|=+’;

$password = ”;
$limit = strlen($base_string) – 1;

for ($i=0; $i < $long; $i++)
$password .= $base_string[rand(0, $limit)];

return $password;

On this occasion we are in the presence of a function from which it is possible to launch absolutely all the operations that allow us to generate our random password for later use on social networks, Internet sites, etc.

The best thing about this great function is that it allows us to generate a random password that has letters, numbers and special characters , which are the requirements that the most demanding services usually request in this regard.

The system will take care of itself by taking passwords from an almost endless list of databases , so that we can create one that fits exactly what we need.

At this point, you will be able to see a series of passwords that will be ready for you to use when you consider it necessary.

As you execute the aforementioned function, for each execution, a new password will be generated, in such a way that if for some reason you require several, you only have to continue launching it as many times as necessary.

Of course, there is no doubt that beyond the complications of this procedure, generating a password thanks to it is a much more attractive solution than betting on the usual 123456 .

In this way, we would be leaving behind one of the main inconveniences that we encounter as users when we want to sign up for any type of service or platform that requires a password, trying to avoid theft of personal information .

As we explained before, the possibility of generating PHP passwords may sound complicated for most of the users, so if you are looking for something simpler, you should bet on the programs to generate passwords that also exist on the web.

Once you have used these passwords and in case you have lost them, remember that there are programs to recover passwords in Windows and others for different devices that have been specially developed for this.

Have you been able to generate your random passwords with this tutorial that we just showed you?





Leave a Reply

Your email address will not be published. Required fields are marked *