English
English
As PHP remains one of the most widely used web development languages, its flexibility also makes it prone to security risks when not properly handled. This article introduces several common PHP vulnerability types, explains how attackers exploit them, and outlines how developers can effectively defend against them. Unnecessary HTML and promotional content have been removed for clarity.
Description: SQL injection occurs when attackers inject malicious SQL statements into user input fields to manipulate database queries, potentially bypassing authentication or stealing data.
<?php
$id = $_GET['id'];
// Build SQL query
$sql = "SELECT * FROM users WHERE id = " . $id;
// Execute query
$result = mysqli_query($conn, $sql);
// Handle results
// ...
?>Issue: The code directly concatenates user input into the SQL statement. For example, passing id=1 OR 1=1 would make the condition always true, exposing sensitive data.
Defense: Use parameterized queries (prepared statements) or ORM frameworks instead of string concatenation. Validate input types (e.g., ensure id is an integer), and handle database errors safely without exposing internal details.
Description: File inclusion vulnerabilities occur when developers include files based on unchecked user input, allowing attackers to load arbitrary or remote files.
<?php
$page = $_GET['page'];
// Include a page file dynamically
include("pages/" . $page . ".php");
?>Issue: Without restricting the page parameter, an attacker could pass page=../config to access sensitive configuration files or include malicious scripts.
Defense: Avoid directly including user-specified paths. Use a whitelist of allowed files. Validate and resolve paths to ensure they remain within the intended directory. Disable remote file inclusion in PHP settings (e.g., allow_url_include).
Description: Improper file upload handling allows attackers to upload disguised executable files and gain unauthorized access or execute arbitrary code.
<?php
$targetDir = "uploads/";
$targetFile = $targetDir . basename($_FILES["fileToUpload"]["name"]);
// Check file type
$fileType = strtolower(pathinfo($targetFile, PATHINFO_EXTENSION));
if ($fileType != "jpg" && $fileType != "png" && $fileType != "jpeg" && $fileType != "gif") {
exit("Only image files are allowed!");
}
// Upload file
if(move_uploaded_file($_FILES["fileToUpload"]["tmp_name"], $targetFile)) {
echo "File uploaded successfully!";
} else {
echo "File upload failed!";
}
?>Issue: Checking only the file extension is insufficient. Attackers can rename a PHP file to look like an image and execute it on the server.
Defense:
Web security is an ongoing process. Here are key practices to maintain a secure PHP environment:
This article demonstrated several common PHP vulnerabilities along with their defense methods. Security should be embedded throughout the development lifecycle — from design and coding to deployment and maintenance. Real-world vulnerabilities may be more complex, so continuous learning, code reviews, and penetration testing are essential to keeping PHP applications secure.
