7 Useful functions to tighten the security in PHP

Security is a very important aspect of programming. In PHP, there are few useful functions which is very handy for preventing your website from various attacks like SQL Injection Attack , XSS attack etc.Let’s check few useful functions available in PHP to tighten the security in your project. But note that this is not a complete list, it just list of functions which I found useful for using in your project.

1) mysql_real_escape_string() – This function is very useful for preventing from SQL Injection Attack in PHP . This function adds backslashes to the special characters like quote , double quote , backslashes to make sure that the user supplied input are sanitized before using it to query. But, make sure that you are connected to the database to use this function.

2) addslashes() – This function works similar as mysql_real_escape_string(). But make sure that you don’t use this function when “magic_quotes_gpc” is “on” in php.ini. When “magic_quotes_gpc” is on in php.ini then single quote(‘) and double quotes (“) are escaped with trailing backslashes in GET, POST and COOKIE variables. You can check it using the function “get_magic_quotes_gpc()” function available in PHP.

3) htmlentities() – This function is very useful for to sanitize the user inputted data. This function converts the special characters to their html entities. Such as, when the user enters the characters like “<” then it will be converted into it’s HTML entities < so that preventing from XSS and SQL injection attack.

4) strip_tags() – This function removes all the HTML, JavaScript and php tag from the string. But you can also allow particular tags to be entered by user using the second parameter of this function. For example,

echo strip_tags(“<script>alert(‘test’);</script>”);

will output

alert(‘test’);

5) md5() – Some developers store plain password in the database which is not good for security point of view. This function generates md5 hash of 32 characters of the supplied string. The hash generated from md5() is not reversible i.e can’t be converted to the original string.

6) sha1() – This function is similar to md5 but it uses different algorithm and generates 40 characters hash  of a string compared to 32 characters by md5().

7) intval() – Please don’t laugh. I know this is not a security function, it is function which gets the integer value from the variable. But you can use this function to secure your php coding. Well, most the values supplied in GET method in URL are the id from the database and if you’re sure that the supplied value must be integer then you can use this function to secure your code.

$sql=”SELECT * FROM product WHERE id=”.intval($_GET[‘id’]);

As, you can see above, if you’re sure that the input value is integer you can use intval() as a secrity function as well.

20 thoughts on “7 Useful functions to tighten the security in PHP

  1. Whilst addslashes is similar to mysql_real_escape_string, it’s important to NOT use it in its place if you’re using a different way to connect to a mysql database. mysql_real_escape_string also escapes the % character, which could pose quite a security risk. take a look at addcslashes or, my favourite, the PDO classes, which offer automatic escaping of dangerous characters.

    it’s also worth noting that if you’re using UTF8, htmlentites can break multibyte characters, and the encoding will need to be set in the 3rd parameter. I normally do something like htmlentites($str,ENT_QUOTES,’UTF-8′).

    I wouldn’t laugh at intval! That’s one of my most-used functions, it’s a perfect complement to auto incrementing id fields!

  2. Good list.

    For number 7, you can also typecast your request variables, do testing against them and use easier variable names – all at the same time. You could also use intval(), I guess.

  3. I guess my PHP code was deleted with my comment. Hopefully this will work:

    if ($id = (int) $_GET[‘id’]) {
    // Use $id here
    }

  4. I’d change the title of your post, I think these functions are not only useful, they are essential.

  5. ya Dave absolutely……..these are essential functions from the security point of view in PHP

    @ jaredmellentine – you can do it in both way either type casting the variable or use intval(), I think syntax for using intval() is a bit easier than using variable type casting for beginners.

  6. wow nice post dude. thanks for this

  7. Your articles are really great. I added you to my rss list

  8. Thanks SNaRe for motivation…

  9. I would go one further than previous commenter Jasper and recommend *against* using the mysql_* functions at all. Instead, use the PDO classes, which ship with recent versions of PHP.

  10. nice article … I like all the tips especially intval :p …. people just forget simple things and get caught !

  11. i like this article. it read it and it was very funny, but if anybody wants to be more professional, must read GOOGLE…:))))))))

  12. Thanks for sharing these useful functions.

  13. Nick Poulos

    I know for certain types of variables (like zip code, phone, email, ssn, etc) regular expressions are preferred or even necessary in some cases. But for quick and easy validation for certain var types – what about using functions like is_numeric to check variables? For ex:

    if (!is_numeric($_GET[“id”]))
    $errors[ ]=”You did not enter a valid id!”;
    else
    $id=$_GET[“id”];

    Any reason this would be unsafe or poses a risk?

  14. CHITARANNJAN SATHUA

    if i will convert all the special character to html and insert in to my database
    and how can i retrive data and shows as it i want

  15. ibrahim sana

    nice post. thanx
    The mysql_real_escape function is used for mysql database only , for other DBMS other functions is in used. For example in Postgres you can use pg_escape_string for escaping harmful characters.
    please note that some php “bad features” can yield to a real security hole and not mentioned here, for example the register_globals feature.

  16. I agree with Dave Marshall – these are absolutely essential for use in any public facing PHP application.

    Great blog, subscribed to your RSS feed just now!

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>