Learn How to improve PHP Security with these six Steps?

Learn How to improve PHP Security with these six Steps?

by | Jan 10, 2019 | PHP

PHP security is that the additional involved topic in internet application security, during this article, you’ll learn some techniques that you simply will use in your applications to fix security problems and improve the security of PHP web applications.

1. Input Validation

All issues begin here If you’re not validating & sanitizing user submitted information through forms or URLs. If you strictly follow this step, then you’ll be able to overcome a great deal of issues together with your applications that’s relating to security.

First of all, Check whether or not the input submitted with the right method? that’s if the user input ought to be passed to computer address and if you’re victimisation request superglobal, Then that’s the matteras a result ofhacker will pretend the request with different styles of technique. Request superglobal works with all style ofinputs that’s post & get.

The simple answer is don’t use request superglobal, solely use get or post supported the request kind.

If the input technique is get and if you’re expecting solely range from the computer address as user input. Use PHP functions to validate the user submitted computer fileduring this explicit scenario you’ll be able to use is_int PHP operateto examine whether or not the input is Associate in Nursing whole number.

For validation, you’ll be able to use filter_var PHP operate with this operate you’ll be able to validate the input and additionally sanitize the input. you have got to use the right filter supported your demand. For offered filters check the php.net web site.

2. XSS Cross-Site Scripting

Cross website Scripting in brief known as XSS, the offender injects javascript code into our application, at the moment our application acts weirdly like redirecting to offender {site|website|web website} or causation user infoto attackers site.

Here we are going to see however we are able to overcome XSS attacks by creating easy changes to our applications with these 2 strategiesthat’s filtering Input and Escaping Output

2.1 Filtering Input

While acceptive knowledge from web site users we must always filter. as an example in comment system, we must always settle for solely text input not hypertext markup language tags. If we have a tendency to aren’tfiltering the input, the user will submit any reasonably info even malicious code.

To filter unwanted code we are able to use these PHP functions, here I’m presenting you 3 PHP functions and their blessings.

strip_tags PHP operate removes hypertext markup language tags from the user submitted input.

filter_var : and therefore the safer means of filtering input is filter_var with filter_sanitize_string removes hypertext markup language tags even hypertext markup language syntax entered by the user is wrong.

regular expressions: If you have got a particular demandyou’ll be able to build an everyday expression to filter user input.

2.2 Escaping Output

Escaping Output may be a technique wont to stop XSS. Suppose, let’s assume with on top of comment system you have got some comments within the information while not filtering input. which means these comments couldhave some hypertext markup language tags and even some comments could have malicious code. while notdeleting this knowledge from the informationwe are able to fix this issue by escaping output with these PHP functions.

htmlspecialchars PHP operate encodes special characters into hypertext markup language entities and althoughyou would like to convert quote marks to hypertext markup language entities use it with ent_quotes.

htmlentities PHP operate converts all hypertext markup language character entities into hypertext markup language entities.
You can convert the quote marks additionally with ent_quotes

The safer means is to to use filter_var with filter filter_sanitize_full_special_chars to convert all hypertext markup language entities.

3. SQL Injection

SQL Injection is that the most important threat to any application that uses a informationyou’ll be able to follow these techniques to beat SQL Injection.

Provide Minimum info to the user, don’t show SQL queries and rectify info to the user. because it could reveal table names and table structure to the attackers, so it makes straightforward for Associate in Nursing offender to try to to SQL Injection.

Validate the Input, undergo the step one. By following this you’ll be able to minimize the few problems.

Escape the output whereas inserting knowledge into the informationantecedently we’ve got seen escaping output whereas displaying comments within the browser. within the same meanswe are able to escape the output whereas inserting the records within the information with the mysqli_real_escape_sting PHP operate.

Use ready statements with PHP PDO, it’s most secure technique to beat SQL Injection. you’ll be able to learn additional regarding PDO ready Statements from PHP CRUD Application with PDO.

Least Privileged information User Account – produce a information user on your server with least privileges. Like if you’re solely displaying info in your application from information produce a information user with solely browseprivileges. perceive your application and build Associate in Nursing account supported the privileges.

4. positive identification Hashing

While storing Passwords of users, don’t store it in plain text positive identificationas a result of it’s exposing your user’s necessary info to the offender, most of the users can use an equivalent positive identification on differentwebsites. So that, your users area unit in nice danger.

Use secure positive identification hashing algorithmic rule, a Most secure positive identification hashing algorithmic rule is password_hash. Use positive identification_hash whereas generating password hash. to come up with the hash with password_hash PHP operate, use this below code.

password_hash($password, PASSWORD_DEFAULT);
1
password_hash($password, PASSWORD_DEFAULT);

5. CSRF Cross-Site Request Forgery

Cross-Site Request Forgery is another space wherever you would like to implement CSRF tokens to boost the safety of kind submissions.

CSRF Tokens area unit wont to secure forms in PHP, we are going to generate a random token and this can be hold on within the session and this token are going to be responded to the shapeonce kind submission, CSRF token from the shape and therefore the token hold on in session are going to be compared. If each these values match then solely kind submission can succeed. Otherwise, kind submission are going to be failing. The offenderwon’t be ready to succeed with his/her tries.

I’ve already created a whole article on Securing PHP Forms with CSRF Tokens.

6. Error Handling

While in production mode don’t show all the errors to users, follow least info principle.

Basant Mallick

Paytm Payment Gateway Integration Using PHP

Paytm Payment Gateway Integration Using PHP

by | Jan 10, 2019 | PAYMENT GATEWAY, PHP

Integrate Payments with Paytm

Add Paytm Payment Gateway to your mobile app or website. Collect online payments from your customers using UPI, Debit/Credit Cards, 50+ NetBanking options and Paytm Wallet.

Are you trying to find payment resolution for your website?

Paytm payment gateway will be a right selection for that.
You can firmly settle for payment mistreatment with Paytm on-line payment.

Paytm is simpler because it is joined with several services that create the web transaction convenient for the customers.

This is one in every of the safest and secured payment gateways in Asian country for on-line dealing.
So here during this tutorial you may learn the way to integrate Paytm payment entryway mistreatment PHP.

So currently we are going to cover up Paytm payment integration with PHP in simple steps:

Step 1: Download Paytm Payment Gateway PHP Kit

First you would like to download Paytm Payment gateway PHP Kit from given link.
You need to copy PaytmKit folder in document root of your server.

PAYTM IS A PAYMENT PROCESS SYSTEM, I WILL INTEGRATE PAYTM WITH WEBSITES BY USING WITH PHP

Just follow below steps:

Step2: First, we need to create an account at https://business.paytm.com/ and get our merchant ID and Secret Key.

Now we can start coding in our site to use the Paytm. First, we will configure the Paytm with test credentials to test our code.

freelance php developer in delhi ncr india

Step 3. (filename – config.php)

<?php
/*

– Use PAYTM_ENVIRONMENT as ‘PROD’ if you wanted to do transaction in production environment else ‘TEST’ for doing transaction in testing environment.
– Change the value of PAYTM_MERCHANT_KEY constant with details received from Paytm.
– Change the value of PAYTM_MERCHANT_MID constant with details received from Paytm.
– Change the value of PAYTM_MERCHANT_WEBSITE constant with details received from Paytm.
– Above details will be different for testing and production environment.

*/
define(‘PAYTM_ENVIRONMENT’, ‘TEST’); // PROD
define(‘PAYTM_MERCHANT_KEY’, ‘**********’); //Change this constant’s value with Merchant key downloaded from portal
define(‘PAYTM_MERCHANT_MID’, ‘**********’); //Change this constant’s value with MID (Merchant ID) received from Paytm
define(‘PAYTM_MERCHANT_WEBSITE’, ‘**********’); //Change this constant’s value with Website name received from Paytm

/*$PAYTM_DOMAIN = “pguat.paytm.com”;
if (PAYTM_ENVIRONMENT == ‘PROD’) {
$PAYTM_DOMAIN = ‘secure.paytm.in’;
}

define(‘PAYTM_REFUND_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp/HANDLER_INTERNAL/REFUND’);
define(‘PAYTM_STATUS_QUERY_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp/HANDLER_INTERNAL/TXNSTATUS’);
define(‘PAYTM_STATUS_QUERY_NEW_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp/HANDLER_INTERNAL/getTxnStatus’);
define(‘PAYTM_TXN_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp-web/processTransaction’);*/

$PAYTM_STATUS_QUERY_NEW_URL=’https://securegw-stage.paytm.in/merchant-status/getTxnStatus’;
$PAYTM_TXN_URL=’https://securegw-stage.paytm.in/theia/processTransaction’;
if (PAYTM_ENVIRONMENT == ‘PROD’) {
$PAYTM_STATUS_QUERY_NEW_URL=’https://securegw.paytm.in/merchant-status/getTxnStatus’;
$PAYTM_TXN_URL=’https://securegw.paytm.in/theia/processTransaction’;
}
define(‘PAYTM_REFUND_URL’, ”);
define(‘PAYTM_STATUS_QUERY_URL’, $PAYTM_STATUS_QUERY_NEW_URL);
define(‘PAYTM_STATUS_QUERY_NEW_URL’, $PAYTM_STATUS_QUERY_NEW_URL);
define(‘PAYTM_TXN_URL’, $PAYTM_TXN_URL);

?>

Step 4. Now we will create a new file(index.php) to create the payment form which will have the amount to be paid and other needed information –

<?php

header(“Pragma: no-cache”);
header(“Cache-Control: no-cache”);
header(“Expires: 0″);
include(‘header.php’);
include(‘container.php’);
?>
<div class=”container”>
<h2>Example: Paytm Payment Gateway Integration in PHP</h2>
<br>
<br>
<form method=”post” action=”pgRedirect.php”>
<table border=”1″>
<tbody>
<tr>
<th>S.No</th>
<th>Label</th>
<th>Value</th>
</tr>
<tr>
<td>1</td>
<td><label>ORDER_ID::*</label></td>
<td><input id=”ORDER_ID” tabindex=”1″ maxlength=”20″ size=”20″
name=”ORDER_ID” autocomplete=”off”
value=”<?php echo “ORDS” . rand(10000,99999999)?>”>
</td>
</tr>
<tr>
<td>2</td>
<td><label>CUSTID ::*</label></td>
<td><input id=”CUST_ID” tabindex=”2″ maxlength=”12″ size=”12″ name=”CUST_ID” autocomplete=”off” value=”CUST001″></td>
</tr>
<tr>
<td>3</td>
<td><label>INDUSTRY_TYPE_ID ::*</label></td>
<td><input id=”INDUSTRY_TYPE_ID” tabindex=”4″ maxlength=”12″ size=”12″ name=”INDUSTRY_TYPE_ID” autocomplete=”off” value=”Retail”></td>
</tr>
<tr>
<td>4</td>
<td><label>Channel ::*</label></td>
<td><input id=”CHANNEL_ID” tabindex=”4″ maxlength=”12″
size=”12″ name=”CHANNEL_ID” autocomplete=”off” value=”WEB”>
</td>
</tr>
<tr>
<td>5</td>
<td><label>txnAmount*</label></td>
<td><input title=”TXN_AMOUNT” tabindex=”10″
type=”text” name=”TXN_AMOUNT”
value=”1″>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td><input value=”CheckOut” type=”submit” onclick=””></td>
</tr>
</tbody>
</table>
* – Mandatory Fields
</form>

</div>
<?php include(‘footer.php’);?>

Step 5. Here in form, we have set the action=”Redirect.php”, so we will create a new file with this name 

<?php
header(“Pragma: no-cache”);
header(“Cache-Control: no-cache”);
header(“Expires: 0”);
// following files need to be included
require_once(“./lib/config_paytm.php”);
require_once(“./lib/encdec_paytm.php”);

$checkSum = “”;
$paramList = array();

$ORDER_ID = $_POST[“ORDER_ID”];
$CUST_ID = $_POST[“CUST_ID”];
$INDUSTRY_TYPE_ID = $_POST[“INDUSTRY_TYPE_ID”];
$CHANNEL_ID = $_POST[“CHANNEL_ID”];
$TXN_AMOUNT = $_POST[“TXN_AMOUNT”];

// Create an array having all required parameters for creating checksum.
$paramList[“MID”] = PAYTM_MERCHANT_MID;
$paramList[“ORDER_ID”] = $ORDER_ID;
$paramList[“CUST_ID”] = $CUST_ID;
$paramList[“INDUSTRY_TYPE_ID”] = $INDUSTRY_TYPE_ID;
$paramList[“CHANNEL_ID”] = $CHANNEL_ID;
$paramList[“TXN_AMOUNT”] = $TXN_AMOUNT;
$paramList[“WEBSITE”] = PAYTM_MERCHANT_WEBSITE;

$paramList[“CALLBACK_URL”] = “http://phpzag.com/demo/paytm-payment-gateway-integration-in-php/pgResponse.php”;
$paramList[“MSISDN”] = 7777777777; //Mobile number of customer
$paramList[“EMAIL”] = “youremail@gmail.com”; //Email ID of customer
$paramList[“VERIFIED_BY”] = “EMAIL”; //
$paramList[“IS_USER_VERIFIED”] = “YES”; //
//Here checksum string will return by getChecksumFromArray() function.
$checkSum = getChecksumFromArray($paramList,PAYTM_MERCHANT_KEY);

?>
<html>
<head>
<title>Merchant Check Out Page</title>
</head>
<body>
<center><h1>Please do not refresh this page…</h1></center>
<form method=”post” action=”<?php echo PAYTM_TXN_URL ?>” name=”f1″>
<table border=”1″>
<tbody>
<?php
foreach($paramList as $name => $value) {
echo ‘<input type=”hidden” name=”‘ . $name .’” value=”‘ . $value . ‘”>’;
}
?>
<input type=”hidden” name=”CHECKSUMHASH” value=”<?php echo $checkSum ?>”>
</tbody>
</table>
<script type=”text/javascript”>
document.f1.submit();
</script>
</form>
</body>
</html>

To handle the response of return call from paytm we need another file(Response.php)

<?php

require_once(“config.php”);

require_once(“encdec_paytm.php”);

$paytmChecksum = “”;

$paramList = array();

$isValidChecksum = “FALSE”;

$paramList = $_POST;

$paytmChecksum = isset($_POST[“CHECKSUMHASH”]) ? $_POST[“CHECKSUMHASH”] : “”; //Sent by Paytm pg

Basant Mallick