List of All Basic PHP Security You Need to Know | PHP Security for Beginners | PHP Security Lesson

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
today is going to be a slightly different video since I want to be a bit more informative in this one and just kind of go over briefly what exactly you need to get into if you wanted to talk about basic PHP security so you're going to learn about basic PHP Security in this video here but like I said we're not going to go too deep detail into each one of them I will give a few code examples so you know a little bit about what exactly you need to do but it is important to keep in mind that you can always go very deep into PHP security and these are the basic ones that you need to get started with in order to just know the basics when it comes to PHP security some of the ones I'm going to talk about in this video here is something I have done a video on in the past so if there is a specific one that we have already covered then I will leave a link for that in the description so you can check that out and for the ones I haven't covered yet on this channel I will leave a empty space for that in the description so once I do add a video in that in the future then I will go back and update the links inside the description so you have a specific video for that topic so now the first one I'm going to talk about here is something called SQL and injection and SQL injection is something we have done quite a bit inside my channel here since that is pretty much an essential thing while all of these are essential but SQL injection is a way for you to protect your database from any sort of user that might maliciously try to go inside any sort of input inside your website so for example a login system you have a username and password input and they can go inside one of those inputs and type in code and if they were to do that they can actually send a code command to your database and start deleting things or you know something that might destroy your database which is not a good thing the way we defend against that is of course using prepared statements that is basically when we go inside our code and instead of just querying the database immediately using the data that the User submitted we separate the data from the query send the query in first and then send the user data afterwards and that sort of way we can defend our database against SQL injection since we separate these different tasks and we do have a code example here inside my notes that I can paste in for you to see and I will go ahead and wrap this down on two lines since it is cutting off a little bit there but basically all you have to do here is create a prepared statement where you go in and create this SQL code that you're going to send to the database you prepare it and then afterwards you submit the data that the User submitted so in this case here a username to use a placeholder inside our query to say that okay this is going to get filled in later on and then later on WE bind the data to our placeholder and then we execute our placeholder data so we just send it in afterwards and again SQL injection is something we have covered extensively on my channel inside my my latest PSP course here so if you want to know more about when it comes to SQL injection you're more than welcome to visit the link in the description the next thing I want to talk about is something called cross-site scripting which is also a very popular way to mess up a website basically what you do is whenever you have any sort of output from a user for example from a database or if a User submitted some data inside a input and then you output it directly inside your website it is important that you go in and do something about that data before you output it inside your website because if the user were to do something where they submit some code for example some JavaScript and then you output it inside the website without doing anything to that data then it is possible for user to go inside your website and actually run some code inside your website this is also something that can actually get submitted into a database so if you're not careful it is important that any sort of time you output any sort of data from a user whether being data that they submitted into a database that you always go in and do something about data before we actually output it so let's go and take an example here let's say I go inside my website and I grab a username from an input for example you know something to use to submitted this is something they can submit and they can be whatever they feel like for example a piece of JavaScript code or something else they might just you know feel like injecting into our website and what we basically just do is whenever I want to Output data I can go in and I can sanitize the data by adding a HTML special characters function which is built inside PHP that takes that data and converts it to HTML special characters which is for example instead of using ampersands then it uses the the HTML characters for that particular Ampersand so it's not going to actually be an ampersand but when they actually get output inside your website it will get converted back to an ampersand so this kind of like a weird little in between here where we convert it to something else and then when we output it we convert it back again to an ampersand in order to avoid any sort of code getting output inside our website it is important to mention here as well that it is best practice to not do any sort of Sanitation like we just did here when you insert data into a database but once you take the data from inside the database and output it inside your website then you need to do it and the reason for that is that in some cases for specific types of applications where we don't want to have HTML special characters inside our database because that makes it unusable in some types of applications we don't want to have it inside our databases HTML special characters so just know that it's best practice to sanitize data after when you actually want to Output the data the next thing we're going to talk about is something called cross site request for Theory which is another way where a hacker basically makes you do things that you don't want to do inside a website this could for example be if you're locked into a place where you can buy things or something like that and when you log in for the first time then a hacker maybe makes you click on a certain link that takes you in and actually runs a script inside your browser to make you do unwanted actions inside that particular website that you're locked into this can be through a link or an email or advertisement you know any sort of code that has any sort of maliciousness to it that you then click on can make you do things inside a website that you're currently logged into so in order to avoid that we do have a method to do so and I do also have that inside my notes here so basic example of this is to go in and create something called a csrf token which basically makes you go inside your website you create a random byte that you convert to hexadecimals which is going to generate this weird string of characters that is hexadecimal characters and then we use the data inside this session variable to compare together with any sort of request data that we might have inside the website for example using a form where we have a hidden input and inside this hidden input we could for example have the csrf token and when we send that request we then compare this as in variable to that token to verify the authenticity of that particular user who's currently using the website the next thing we're going to talk about is security when it comes to file uploads which we haven't covered yet inside my channel but essentially whenever you want to upload a file using a form you know because that's something we can do then you do want to make sure that you always check if that file is of a particular type and that it also is of a particular extension because if a user tries to send something bad using a file into your website then you want to make sure that it has the proper extension and file format in order for that to be properly authenticated I don't know what I did this because it is getting authenticated as the correct type of file that the user is actually submitting so again to give an example here let's say we actually just submitted a form that has a file inside of it and then inside the other page we actually have to handle that file and do something with it using PHP we can go ahead and create a variable called allow type so we basically say what kind of file type will be actually allow inside our website so we store that inside an array and we can just keep putting you know commas and file formats that you might want to accept inside this particular website here and then we also create one for allowed extension so if it's going to be a JPEG you know for the both kinds of jpegs if it's going to be PNG or give so whatever you might want to accept you know maybe PDF files or something then you go down and actually grab the actual file that was submitted by referring to a super Global call file so we can go in and say you want to grab the file key and say what kind of type this particular file is so in this case here it is going to tell you whether or not this is going to for example be a image slash jpeg or image slash PNG or whatever and then we can also check for the extension here and then we basically just go down inside our if condition and say if our allowed types or allowed extension exist inside what we just grabbed here when it comes to the information about this particular file that was submitted from the form so if that exists inside that file then we will allow for something to happen for example uploading the file so to speak again we haven't really covered this specifically inside my channel although I do think I might have a really old seven-year-old tutorial on this that actually talks a bit about this how to upload files and do this sort of thing but I don't have any new tutorials on this so if you want to know more about this then now you understand a little bit about the basics of it to sort of help you understand other tutorials a little bit better so you know exactly what you're getting into the next thing we're going to talk about is password storage and hashing and this is something we have also covered on this channel here so if you want to store any sort of sensitive data and you want to you know be able to compare that data with something that has been being submitted inside the website for example a login system if you sign up a user and they have to you know have their password stored inside a database and then once they log into the website you have to compare that password they used to log in with the password inside your database then it is a very good idea that the password inside the database is not something you can actually read so that is what we use hashing for we basically take a piece of data for example a password and then we hash it to make it unreadables you would have to figure out a way to try and read it which is you know close to impossible so hashing is very important and I do again have an extensive tutorial on this but we can just briefly talk about it here so inside my notes I'm just going to paste in what I have basically have a password submitted by the user that is then sent to another PHP file which in this case is this file here we grab the password from the user and before we actually store it inside the database again using prepared statements which we talked about in the first example in this video here then you want to make sure you take the password and you set it equal to a new variable where you basically just go in and hash the password using either password underscore default or password underscore bcrypt in this case here I'm using bcrypt because you can actually add a delay or what is called a cost factor to the hashing mechanism in this case I didn't include that inside by example but that is something you can do now I might as well show it so if you go up here and we create a array we're going to call this one options I'm going to set this one equal to an array so we're going to say brackets here then we're going to go after and say we want to add a piece of data so in this case it is going to be the cost so we're going to say we have a cost and we point to a value which is going to be somewhere between 10 and 12 because that is the normal that you might want to do then you take those options here and you paste it inside as the last parameter inside your function down here and in this sort of way we now have a cost factor to you know add a delay inside our website to you know not allow brute forcing of a certain password so this is something that is good to have when it comes to you know making people not automatically just Spam random passwords inside of password input with a particular username so they can try and guess the right password at some point so this is going to make this a lot more difficult since it is going to add a huge delay which makes it just not worth it to try and brute force their way into the website so this is a good idea and this is something you can add whenever you use the password underscore B Crypt so that is why I recommend using password underscore B Crypt and not password underscore default and then of course once we actually grab the actual password from the database so this is a little bit later on let's say now we have to log into the website so this is for signing up inside the website this is for logging into the website then you grab the password from the database which is this one over here which is called hash password and then you just basically compared to the password the User submitted when they try to log into the website and if this is returning as one or as true then it means that these are the same passwords so in this kind of way we can compare two pieces of data even though they are hashed and we can't really read them to see if they are in fact the same then we do also have something called input validation and data sanitation So based basically whenever we have a user submit some kind of data inside our website using a you know any sort of form and then we have to do something about that form to sanitize the data to make sure this is the correct data being submitted then we can go in and we can actually go ahead and validate and sanitize that particular data to again ensure that this is the correct data they are submitting so they're not trying to do any funky business inside our website now I do think it is a good idea to just sort of paste in the code here and then talk about it afterwards so in this example here we have a user submitting a email and then we basically just go in and we you know we go in and filter it to see if this is actually a valid email format this is a little bit different than using HTML special characters because HTML special characters takes the data and then makes it into a non-dangerous data by going in and using HTML special characters to convert it into HTML special characters but using a filter whether it being filter underscore input or filter underscore variable in this case it is filter underscore VAR we can go in and we can actually check if this is a valid piece of data if it is not it is going to return as false so there is a slight difference between using HTML special characters because that will actually just go in and make the data non-dangerous whether or not the data is something that you should try to submit as something dangerous whereas this one is straight up going to say oh okay this data is not what was intended so therefore we are not going to allow it and there are many different types of filter underscore via you can actually see if I go in here and I start typing filter underscore you know you can see we start getting something here I can also you know take a little bit further if I say validate then we can validate for all types of things for example integers and URLs and that kind of thing um that kind of thing that kind of thing so there are many different types we can filter for so you know filtering information is a very good idea whenever you have to use data inside a piece of code the last one here is also a important one that isn't really covered in a lot of tutorials because it isn't really something that is you know necessary and something that people most likely won't point out that frequently so if I make a tutorial on something and you know and I don't take this particular consideration into consideration then it's not something people are going to comment on underneath the video so therefore you just don't see people who upload tutorials do this sort of security very often but this is basically when it comes to error handling and information leakage so whenever you do any sort of thing using PHP to verify data that the User submitted using any sort of error handling that you might include inside your code to check you know for example our inputs Mt or something whenever you encounter any sort of error message inside the website it is not a good idea to have that error message being displayed inside the actual website and I'm more specifically talking about error messages generated by the actual PHP and not something that you created manually as a user where you go and say oh okay well as we run into this error message here then I'm gonna write invalid username or something inside the the username form and talking about specific error messages generated automatically by PHP and any sort of error messages in this sort of way is something that you shouldn't really post inside a website because it is something that can maybe leak some sensitive data or just give the the hacker any sort of information about what is going on inside your PHP code so instead you should put your error messages and log it inside a separate file so you the developer can go in and check these error messages without actually the use of seeing anything inside the website a brief example of this is a line of code that you can use here which is a error underscore log function that exists inside PHP basically you take the error message and you put it inside as the first parameter and then this number over here basically tells our function that this is something we're going to store inside a file and then we basically give it the path to the file that we want to lock the error in so in this sort of way it's going to print that error inside a particular file so we can see it as the developer but not the user inside the website again the less the user know the better that's basically what the concept is here and the last thing I just want to touch upon here is also something called session security which is also a video I have on my channel so whenever it comes to any sort of session security inside your website you know you go inside a website you have a user who has signed up inside your website and now they're logged into your website then you're going to store some data inside a session or you know not necessarily when it comes to a login system but just when it comes to any sort of thing that your website has to remember across pages and you store those information inside a session so whenever it comes to session security there are many different things to discuss for example not to store any sort of sensitive information inside a session not to keep any sort of data that you don't need anymore inside the session so always unset that data if you don't need it anymore but also more specifically making sure that the session ID is not a weak ID that you're using inside your session because when you use the session underscore start which looks something like this so we say session underscore start parentheses then this session here is a very weak and not so good session to start up inside your website so we do have another function that we can use inside our code which is called session underscore regenerate underscore ID which we can set equal to true and in this sort of way we now take the current session IDE and we make it even stronger and this is something that is going to allow for us to go in and actually make sure that if another hacker were to actually hijack your session and have that session you know available to them then we go in and we generate the ID to make sure that okay so now the session they stole is no longer valid because now we change the session for this particular user who is using that session and this is something you should be doing fairly often inside your code you should for example write a script that automatically goes in and regenerates the ID every 30 minutes or something also whenever you do any sort of validation when you log in and user for example inside your website you should also run this function here so this is just a really good idea to use regenerate ID in order to make your ID even stronger and to make sure any sort of hijacks are going to become invalid so so having talked about all these different types of security measures that we have inside PHP this is going to give you a good foundation to when it comes to protecting your application of course you can go very deep into security but this is the fundamentals that you need to know when you get into PHP for the first time or at least when you have learned PHP and now you want to start creating applications that you can use inside a actual website then you need to know at least these as a Basics when it comes to learning about PHP security so with this video here I hope you got a lot of information and you know because I know a lot of people on my channel are beginners so giving a quick informative video like this is something I like to do and might do more of in the future instead of just sitting there writing a bunch of code showing you how to create certain applications so this is something that I hope to incorporate a little bit more into my channel so I hope you enjoyed and I'll see you guys in the next video [Music] all right [Music]
Info
Channel: Dani Krossing
Views: 16,521
Rating: undefined out of 5
Keywords: all basic security you need to know in php, all fundamental security you need to know in php, list of all basic php security you need to know, php security for beginners, security in php you need to know, php security tutorial, php security lesson, php security vulnerabilities, php security course, security basics php, website security, website security php, network security php, secure coding practices in php, php Information Security, php security complete guide
Id: ZcwfGXIoA6A
Channel Id: undefined
Length: 19min 7sec (1147 seconds)
Published: Mon Jul 03 2023
Related Videos
3 Beginner Mistakes in PHP When it Comes to Form Data | Common PHP Beginner Mistakes | PHP Tips
Dani Krossing
8.2K
All The JavaScript You Need To Know For React
PedroTech
487K
PHP doesn't suck (anymore)
Aaron Francis
185K
SSH Full Course - EVERYTHING You Need to Know!
Learn Linux TV
521K
How To Create A Login System In PHP For Beginners | Procedural MySQLi | PHP Tutorial
Dani Krossing
1.1M
Learn Object Oriented PHP for Beginners | With Examples to Help You Understand! | OOP PHP Tutorial
Dani Krossing
37K
28 | Let's Create A Signup System in PHP! | 2023 | Learn PHP Full Course for Beginners
Dani Krossing
41K
Connect To A Database Using MySQLi and OOP PHP | Object Oriented PHP Tutorial | PHP Tutorial
Dani Krossing
159K
Is PHP the Secret King of Code?
Stefan Mischook
48K
6 | The Basics of PHP Form Handling Tutorial | 2023 | Learn PHP Full Course for Beginners
Dani Krossing
70K
44: (UPDATED VIDEO IN DESC) How To Create A Login System In PHP For Beginners | PHP Tutorial
Dani Krossing
1.1M
In Defence of PHP - Stephen Rees-Carter - NDC Security 2023
NDC Conferences
15K
22 | INSERT INTO Database Using PHP From Your Website! | 2023 | Learn PHP Full Course for Beginners
Dani Krossing
40K
24 | Selecting Data Using PHP From Your Website! | 2023 | Learn PHP Full Course For Beginners
Dani Krossing
15K
Python 101: Learn the 5 Must-Know Concepts
Tech With Tim
937K
3: Get data from a database without refreshing the browser using AJAX - Learn AJAX programming
Dani Krossing
582K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.