Handling deprecated functions in PHP
While working in software space such as PHP you encounter constant upgrade of technology. With every upgrade few new features and functionalities are included and sometimes existing features, functionalities and functions are deprecated. They are no longer supported by the technology development team. In PHP, this scenarios is very common. But then how do you know which PHP functions have been deprecated with new version? What would you do if you want to upgrade to newer PHP version and want to remove all deprecated functions to make site work? Finding such functions one by one with reference to PHP documentation is a pain and it consumes time.
There is quick way of achieving what you want. Make following changes to php.ini file on server with updated version and restart Apache service.
error_reporting = E_ALL & E_DEPRECATED
Now when you execute any page, PHP will throw a warning if there is any deprecated function used on that page.
Disabling information exposure through PHP system functions
There are some functions provided by PHP to help you investigate environment, parse things and locate sources and understand data flow. Some of these functions are phpinfo()
, system()
, parse_ini_file()
, show_source()
. While these functions help developers they can be equally dangerous since they reveal vital information about your server. Hackers are interested in such information. So the question is if there is any way to disable these functions which are native to PHP?
The answer is - Yes. Also, implementation is quite simple. Make following changes in php.ini file and restart Apache service
disable_functions = phpinfo,system,exec,parse_ini_file,show_source
You can add other functions to list above to disable them preventing exposing important information.
Making super global variable get rich information
In PHP, $_REQUEST
gives you super global variable data i.e. $_GET
and $_POST
data. But we seldom require data from client cookies and server sessions. Is there a way to access this information?
This is possible using same $_REQUEST
. Change following default setting in php.ini file and restart Apache service
request_order = "GP"
To
request_order = "GPCS"
(Here G = Get, P = Post, C = Cookies and S = Session data)
Note: To make it work, variables_order sequence should match request_order sequence.
Avoid JavaScript from access cookies to reduce identity theft through XSS attacks
Like PHP even JavaScript is also able to access cookies. But in the best interest of user and web application it makes complete sense to restrict JavaScript from accessing cookies. Is there any way to do it?
Yes and it is too simple. Just make following changes to php.ini file and restart Apache service
session.cookie_httponly = true
Now, cookie data will be accessible only through HTTP protocol. This setting can effectively help to reduce identity theft through XSS attacks. Only one drawback though - It is not supported by all browsers.
Session management on multi-server application
With every application moving to cloud the life has become easier for end users and exactly opposite has happened to developers and server administrators. In multi-server application where you have load balancers and request can be routed to any server, session management becomes tricky. There are traditional solutions such as storing session info in database or sharing session info across server etc. However, quickest and easiest (some may feel this as ‘crude’ way of doing it though) way to handle sessions in such scenario is using 'memcached' for sessions.
Get Memcached installed on your server using following commands on Linux box.
apt-get install memcached
apt-get install php5-memcache
Then change following default setting in php.ini file and restart Apache service
session.save_handler = files
To
session.save_handler = memcached
With this change your PHP sessions will be stored on the memcached server and not in files anymore.