Learn How to improve PHP Security with these six Steps?

Learn How to improve PHP Security with these six Steps?

by | Jan 10, 2019 | PHP

PHP security is that the additional involved topic in internet application security, during this article, you’ll learn some techniques that you simply will use in your applications to fix security problems and improve the security of PHP web applications.

1. Input Validation

All issues begin here If you’re not validating & sanitizing user submitted information through forms or URLs. If you strictly follow this step, then you’ll be able to overcome a great deal of issues together with your applications that’s relating to security.

First of all, Check whether or not the input submitted with the right method? that’s if the user input ought to be passed to computer address and if you’re victimisation request superglobal, Then that’s the matteras a result ofhacker will pretend the request with different styles of technique. Request superglobal works with all style ofinputs that’s post & get.

The simple answer is don’t use request superglobal, solely use get or post supported the request kind.

If the input technique is get and if you’re expecting solely range from the computer address as user input. Use PHP functions to validate the user submitted computer fileduring this explicit scenario you’ll be able to use is_int PHP operateto examine whether or not the input is Associate in Nursing whole number.

For validation, you’ll be able to use filter_var PHP operate with this operate you’ll be able to validate the input and additionally sanitize the input. you have got to use the right filter supported your demand. For offered filters check the php.net web site.

2. XSS Cross-Site Scripting

Cross website Scripting in brief known as XSS, the offender injects javascript code into our application, at the moment our application acts weirdly like redirecting to offender {site|website|web website} or causation user infoto attackers site.

Here we are going to see however we are able to overcome XSS attacks by creating easy changes to our applications with these 2 strategiesthat’s filtering Input and Escaping Output

2.1 Filtering Input

While acceptive knowledge from web site users we must always filter. as an example in comment system, we must always settle for solely text input not hypertext markup language tags. If we have a tendency to aren’tfiltering the input, the user will submit any reasonably info even malicious code.

To filter unwanted code we are able to use these PHP functions, here I’m presenting you 3 PHP functions and their blessings.

strip_tags PHP operate removes hypertext markup language tags from the user submitted input.

filter_var : and therefore the safer means of filtering input is filter_var with filter_sanitize_string removes hypertext markup language tags even hypertext markup language syntax entered by the user is wrong.

regular expressions: If you have got a particular demandyou’ll be able to build an everyday expression to filter user input.

2.2 Escaping Output

Escaping Output may be a technique wont to stop XSS. Suppose, let’s assume with on top of comment system you have got some comments within the information while not filtering input. which means these comments couldhave some hypertext markup language tags and even some comments could have malicious code. while notdeleting this knowledge from the informationwe are able to fix this issue by escaping output with these PHP functions.

htmlspecialchars PHP operate encodes special characters into hypertext markup language entities and althoughyou would like to convert quote marks to hypertext markup language entities use it with ent_quotes.

htmlentities PHP operate converts all hypertext markup language character entities into hypertext markup language entities.
You can convert the quote marks additionally with ent_quotes

The safer means is to to use filter_var with filter filter_sanitize_full_special_chars to convert all hypertext markup language entities.

3. SQL Injection

SQL Injection is that the most important threat to any application that uses a informationyou’ll be able to follow these techniques to beat SQL Injection.

Provide Minimum info to the user, don’t show SQL queries and rectify info to the user. because it could reveal table names and table structure to the attackers, so it makes straightforward for Associate in Nursing offender to try to to SQL Injection.

Validate the Input, undergo the step one. By following this you’ll be able to minimize the few problems.

Escape the output whereas inserting knowledge into the informationantecedently we’ve got seen escaping output whereas displaying comments within the browser. within the same meanswe are able to escape the output whereas inserting the records within the information with the mysqli_real_escape_sting PHP operate.

Use ready statements with PHP PDO, it’s most secure technique to beat SQL Injection. you’ll be able to learn additional regarding PDO ready Statements from PHP CRUD Application with PDO.

Least Privileged information User Account – produce a information user on your server with least privileges. Like if you’re solely displaying info in your application from information produce a information user with solely browseprivileges. perceive your application and build Associate in Nursing account supported the privileges.

4. positive identification Hashing

While storing Passwords of users, don’t store it in plain text positive identificationas a result of it’s exposing your user’s necessary info to the offender, most of the users can use an equivalent positive identification on differentwebsites. So that, your users area unit in nice danger.

Use secure positive identification hashing algorithmic rule, a Most secure positive identification hashing algorithmic rule is password_hash. Use positive identification_hash whereas generating password hash. to come up with the hash with password_hash PHP operate, use this below code.

password_hash($password, PASSWORD_DEFAULT);
1
password_hash($password, PASSWORD_DEFAULT);

5. CSRF Cross-Site Request Forgery

Cross-Site Request Forgery is another space wherever you would like to implement CSRF tokens to boost the safety of kind submissions.

CSRF Tokens area unit wont to secure forms in PHP, we are going to generate a random token and this can be hold on within the session and this token are going to be responded to the shapeonce kind submission, CSRF token from the shape and therefore the token hold on in session are going to be compared. If each these values match then solely kind submission can succeed. Otherwise, kind submission are going to be failing. The offenderwon’t be ready to succeed with his/her tries.

I’ve already created a whole article on Securing PHP Forms with CSRF Tokens.

6. Error Handling

While in production mode don’t show all the errors to users, follow least info principle.

Basant Mallick

Paytm Payment Gateway Integration Using PHP

Paytm Payment Gateway Integration Using PHP

by | Jan 10, 2019 | PAYMENT GATEWAY, PHP

Integrate Payments with Paytm

Add Paytm Payment Gateway to your mobile app or website. Collect online payments from your customers using UPI, Debit/Credit Cards, 50+ NetBanking options and Paytm Wallet.

Are you trying to find payment resolution for your website?

Paytm payment gateway will be a right selection for that.
You can firmly settle for payment mistreatment with Paytm on-line payment.

Paytm is simpler because it is joined with several services that create the web transaction convenient for the customers.

This is one in every of the safest and secured payment gateways in Asian country for on-line dealing.
So here during this tutorial you may learn the way to integrate Paytm payment entryway mistreatment PHP.

So currently we are going to cover up Paytm payment integration with PHP in simple steps:

Step 1: Download Paytm Payment Gateway PHP Kit

First you would like to download Paytm Payment gateway PHP Kit from given link.
You need to copy PaytmKit folder in document root of your server.

PAYTM IS A PAYMENT PROCESS SYSTEM, I WILL INTEGRATE PAYTM WITH WEBSITES BY USING WITH PHP

Just follow below steps:

Step2: First, we need to create an account at https://business.paytm.com/ and get our merchant ID and Secret Key.

Now we can start coding in our site to use the Paytm. First, we will configure the Paytm with test credentials to test our code.

freelance php developer in delhi ncr india

Step 3. (filename – config.php)

<?php
/*

– Use PAYTM_ENVIRONMENT as ‘PROD’ if you wanted to do transaction in production environment else ‘TEST’ for doing transaction in testing environment.
– Change the value of PAYTM_MERCHANT_KEY constant with details received from Paytm.
– Change the value of PAYTM_MERCHANT_MID constant with details received from Paytm.
– Change the value of PAYTM_MERCHANT_WEBSITE constant with details received from Paytm.
– Above details will be different for testing and production environment.

*/
define(‘PAYTM_ENVIRONMENT’, ‘TEST’); // PROD
define(‘PAYTM_MERCHANT_KEY’, ‘**********’); //Change this constant’s value with Merchant key downloaded from portal
define(‘PAYTM_MERCHANT_MID’, ‘**********’); //Change this constant’s value with MID (Merchant ID) received from Paytm
define(‘PAYTM_MERCHANT_WEBSITE’, ‘**********’); //Change this constant’s value with Website name received from Paytm

/*$PAYTM_DOMAIN = “pguat.paytm.com”;
if (PAYTM_ENVIRONMENT == ‘PROD’) {
$PAYTM_DOMAIN = ‘secure.paytm.in’;
}

define(‘PAYTM_REFUND_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp/HANDLER_INTERNAL/REFUND’);
define(‘PAYTM_STATUS_QUERY_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp/HANDLER_INTERNAL/TXNSTATUS’);
define(‘PAYTM_STATUS_QUERY_NEW_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp/HANDLER_INTERNAL/getTxnStatus’);
define(‘PAYTM_TXN_URL’, ‘https://’.$PAYTM_DOMAIN.’/oltp-web/processTransaction’);*/

$PAYTM_STATUS_QUERY_NEW_URL=’https://securegw-stage.paytm.in/merchant-status/getTxnStatus’;
$PAYTM_TXN_URL=’https://securegw-stage.paytm.in/theia/processTransaction’;
if (PAYTM_ENVIRONMENT == ‘PROD’) {
$PAYTM_STATUS_QUERY_NEW_URL=’https://securegw.paytm.in/merchant-status/getTxnStatus’;
$PAYTM_TXN_URL=’https://securegw.paytm.in/theia/processTransaction’;
}
define(‘PAYTM_REFUND_URL’, ”);
define(‘PAYTM_STATUS_QUERY_URL’, $PAYTM_STATUS_QUERY_NEW_URL);
define(‘PAYTM_STATUS_QUERY_NEW_URL’, $PAYTM_STATUS_QUERY_NEW_URL);
define(‘PAYTM_TXN_URL’, $PAYTM_TXN_URL);

?>

Step 4. Now we will create a new file(index.php) to create the payment form which will have the amount to be paid and other needed information –

<?php

header(“Pragma: no-cache”);
header(“Cache-Control: no-cache”);
header(“Expires: 0″);
include(‘header.php’);
include(‘container.php’);
?>
<div class=”container”>
<h2>Example: Paytm Payment Gateway Integration in PHP</h2>
<br>
<br>
<form method=”post” action=”pgRedirect.php”>
<table border=”1″>
<tbody>
<tr>
<th>S.No</th>
<th>Label</th>
<th>Value</th>
</tr>
<tr>
<td>1</td>
<td><label>ORDER_ID::*</label></td>
<td><input id=”ORDER_ID” tabindex=”1″ maxlength=”20″ size=”20″
name=”ORDER_ID” autocomplete=”off”
value=”<?php echo “ORDS” . rand(10000,99999999)?>”>
</td>
</tr>
<tr>
<td>2</td>
<td><label>CUSTID ::*</label></td>
<td><input id=”CUST_ID” tabindex=”2″ maxlength=”12″ size=”12″ name=”CUST_ID” autocomplete=”off” value=”CUST001″></td>
</tr>
<tr>
<td>3</td>
<td><label>INDUSTRY_TYPE_ID ::*</label></td>
<td><input id=”INDUSTRY_TYPE_ID” tabindex=”4″ maxlength=”12″ size=”12″ name=”INDUSTRY_TYPE_ID” autocomplete=”off” value=”Retail”></td>
</tr>
<tr>
<td>4</td>
<td><label>Channel ::*</label></td>
<td><input id=”CHANNEL_ID” tabindex=”4″ maxlength=”12″
size=”12″ name=”CHANNEL_ID” autocomplete=”off” value=”WEB”>
</td>
</tr>
<tr>
<td>5</td>
<td><label>txnAmount*</label></td>
<td><input title=”TXN_AMOUNT” tabindex=”10″
type=”text” name=”TXN_AMOUNT”
value=”1″>
</td>
</tr>
<tr>
<td></td>
<td></td>
<td><input value=”CheckOut” type=”submit” onclick=””></td>
</tr>
</tbody>
</table>
* – Mandatory Fields
</form>

</div>
<?php include(‘footer.php’);?>

Step 5. Here in form, we have set the action=”Redirect.php”, so we will create a new file with this name 

<?php
header(“Pragma: no-cache”);
header(“Cache-Control: no-cache”);
header(“Expires: 0”);
// following files need to be included
require_once(“./lib/config_paytm.php”);
require_once(“./lib/encdec_paytm.php”);

$checkSum = “”;
$paramList = array();

$ORDER_ID = $_POST[“ORDER_ID”];
$CUST_ID = $_POST[“CUST_ID”];
$INDUSTRY_TYPE_ID = $_POST[“INDUSTRY_TYPE_ID”];
$CHANNEL_ID = $_POST[“CHANNEL_ID”];
$TXN_AMOUNT = $_POST[“TXN_AMOUNT”];

// Create an array having all required parameters for creating checksum.
$paramList[“MID”] = PAYTM_MERCHANT_MID;
$paramList[“ORDER_ID”] = $ORDER_ID;
$paramList[“CUST_ID”] = $CUST_ID;
$paramList[“INDUSTRY_TYPE_ID”] = $INDUSTRY_TYPE_ID;
$paramList[“CHANNEL_ID”] = $CHANNEL_ID;
$paramList[“TXN_AMOUNT”] = $TXN_AMOUNT;
$paramList[“WEBSITE”] = PAYTM_MERCHANT_WEBSITE;

$paramList[“CALLBACK_URL”] = “http://phpzag.com/demo/paytm-payment-gateway-integration-in-php/pgResponse.php”;
$paramList[“MSISDN”] = 7777777777; //Mobile number of customer
$paramList[“EMAIL”] = “youremail@gmail.com”; //Email ID of customer
$paramList[“VERIFIED_BY”] = “EMAIL”; //
$paramList[“IS_USER_VERIFIED”] = “YES”; //
//Here checksum string will return by getChecksumFromArray() function.
$checkSum = getChecksumFromArray($paramList,PAYTM_MERCHANT_KEY);

?>
<html>
<head>
<title>Merchant Check Out Page</title>
</head>
<body>
<center><h1>Please do not refresh this page…</h1></center>
<form method=”post” action=”<?php echo PAYTM_TXN_URL ?>” name=”f1″>
<table border=”1″>
<tbody>
<?php
foreach($paramList as $name => $value) {
echo ‘<input type=”hidden” name=”‘ . $name .’” value=”‘ . $value . ‘”>’;
}
?>
<input type=”hidden” name=”CHECKSUMHASH” value=”<?php echo $checkSum ?>”>
</tbody>
</table>
<script type=”text/javascript”>
document.f1.submit();
</script>
</form>
</body>
</html>

To handle the response of return call from paytm we need another file(Response.php)

<?php

require_once(“config.php”);

require_once(“encdec_paytm.php”);

$paytmChecksum = “”;

$paramList = array();

$isValidChecksum = “FALSE”;

$paramList = $_POST;

$paytmChecksum = isset($_POST[“CHECKSUMHASH”]) ? $_POST[“CHECKSUMHASH”] : “”; //Sent by Paytm pg

Basant Mallick

How to integrate live chat in website

How to integrate live chat in website

by | Dec 21, 2018 | WORDPRESS

*** How to integrate live chat in website ***

Just follow below instruction to integrate Live Chat on your Website.

Steps:1 Visit This link https://www.tawk.to/

img

 

Steps:2 SignUp Your Account

img

Steps:3 Now You see three Input type
a: Name
b: Email
C: Password
then sign up now

img

Steps:4 Choose Which Language you want to chat to User.

img

Steps:5 Enter Site Name and Site Url (like www.abc.com)then click next

img

Steps:6 Here you can Skip if you don’t Want to add your agent
just click on Install Widget.

img

Steps:7 Now Here you see some script code copy all the code and paste them in between <head></head>

img

Steps:8 You Can access Chat panel on your smartphone and many more devices just download their application from their play store and logged in.
img
Steps:9  That’s it.
Now refresh Your Website You can see the chat logo and panel
on right below side.

Basant Mallick

Integrate Google reCAPTCHA in your website Using PHP

Integrate Google reCAPTCHA in your website Using PHP

by | Dec 15, 2018 | PHP

How to Integrate Google reCAPTCHA in your website Using PHP

Hello, I Hope Everyone are Fine !

 These are the following steps for integrate Google Recaptcha In Your Website Form
Note:
Before add recaptcha your website you must be login with 
gmail Account(means:abc223@gmail.com) then follow these steps:

Steps:1

 Type recaptcha in Google then enter.

 

Steps:2

 Click on this link https://www.google.com/recaptcha

Steps:3

  Click on Right Corner of webpages My reCAPTCHA

Integrate Google reCAPTCHA in your website Using PHP

Steps:4 

(a) add label what you want like demo,captcha,etc..

(b) add domain name like www.basantmallick.com

for test on local server just add localhost

freelance website developer in delhi ncr india

Steps:5

  Now accept and register.

Steps:6

  Now You see a new page where you see

Site Key and secret key

freelance website developer in delhi ncr india

Steps:7

Here you see client side integration

just copy the Script and paste in between <head></head>

<html>
  <head>
    <title>reCAPTCHA demo: Simple page</title>
    <script src="https://www.google.com/recaptcha/api.js" async defer></script>
  </head>
  <body>
    <form action="?" method="POST">
      <div class="g-recaptcha" data-sitekey="your_site_key"></div>
      <br/>
      <input type="submit" value="Submit">
    </form>
  </body>
</html>

freelance website developer in delhi ncr india

Steps:8 

 You also See  <div> section, copy them  and put before your form input submit button.

Steps:9

  You see the Server side Intergation
    Secret Key.

Steps:10

 Now open your any code editor like sublime,brackets, Netbeans, Notepad, etc..

Steps:11

 Now you just replace these key with your Secret Key in $secretkey.

Steps:12

   after submit your form successful message(Thanks for posting comment.) shows.

Another wise repeat step what I mention above Carefully.

Basant Mallick

COMPUTER PAR WORDPRESS KAISE INSTALL KAREN

COMPUTER PAR WORDPRESS KAISE INSTALL KAREN

by | Dec 10, 2018 | Wordpress Design

COMPUTER PAR WORDPRESS KAISE INSTALL KAREN

Hello everyone, हम सब जानते हैं कि WordPress सबसे बढ़िया blogging platform है पर अगर हमें इसके साथ blog बनाना है तो हमें hosting और domain name की जरूरत पड़ती है. परन्तु अगर हमने WordPress के साथ शुरू करने से पहले, इसे सीखना हो तो क्या हम इसे बिना hosting और domain name लिए भी सीख सकते हैं?

जी हाँ, बिलकुल.

अगर आप WordPress को सीखना चाहते हैं या फिर कोई भी ऐसा काम हो जो आपन अपनी Live online वाली WordPress साईट के साथ न करना चाहते हो, पर पहले उसे किसी जगह try करना चाहते हों तो, आप WordPress को अपने local PC पर भी install कर सकते हैं. चलिए आज हम जान लेते हैं वो कैसे.

WordPress को Local PC पर install करने के लिए Step by Step Guide:

ये रहे WordPress को local PC पर install करने के लिए steps:

सबसे पहले आपको दो चीज़ों की ज़रुरत होगी. ये दो चीज़े हैं एक तो किसी offline php और mysql runtime environment software की और दूसरा WordPress CMS की official .zip archive file की. इस tutorial में हम, WAMP Server को use करेंगे. दोनों चीज़ों के link नीचे दिए गएँ हैं. इनपर click करके आप इन्हें जल्दी से Download कर लीजिये.

एक बार दोनों चीज़े download कर लें, उसके बाद नीचे दिए गए steps को ध्यान से follow कीजिये.

  1. WAMP Server को अपने PC पर install कीजिये.
  2. Install के बाद उसे run कीजिये, इसे आपके PC की specifications के हिसाब से कुछ समय लगेगा.
  3. यह icon अलग-अलग colour का हो सकता है, Red, Green या Blue. हर colour इस server की एक condition को बताता है. Green indicate करता है कि server online है और इसकी सारी services भी online हैं, Orange indicate करता है कि server offline है और services partially on हैं, और Red रंग indicate करता है कि सारी services भी बंद है और server भी offline हैं.
  4. हमें इस server को online करना है, उसके लिए, इस icon पर click कीजिये और फिर Start All Services के button पर click कीजिये. Note करें कि icon जल्द ही green हो जाये.
  5. उसके बाद जब आपका server online हो जाये, दुबारा उस icon पर click कीजिये और फिर phpmyadmin पर click कीजिये. फिर आपके default web browser में आपके सामने एक MySQL का setup open हो जायेगा.
  6. यहाँ पर हमें अपने WordPress के लिए एक databse create करना पड़ेगा. उसके लिए, left pane में New के link पर click कीजिये. उसके बाद नीचे दिए गये screenshot के अनुसार, अपने database का name enter कीजिये और फिर Create के button पर click कीजिये.
  7. अब हमने जो WordPress का .zip archive फोल्डर download किया था उसे, unzip कीजिये. उसमे एक और फोल्डर होगा, “WordPress” के नाम से. आप चाहे तो इस फोल्डर का नाम जो चाहें रख दे, बस ध्यान रखें कि आप ये नाम अच्छी तरह से याद रखें, वो क्यों, हम जानते हैं. तो मन लीजिये हमने इसका नाम shoutmehindi रख दिया.
  8. अब इस फोल्डर को यहाँ से cut कीजिये और WAMP server की installation directory में जाईये और फिर इसमें, www folder में जाईये. Default directory है: C:\wamp\www. इस www फोल्डर में वो फोल्डर paste कर दीजिये.
  9. अब अपने default web browser में जाईये, ध्यान रखिये, आपका WAMP server online हो, अब URL bar में type कीजिये, localhost/“आपके folder का नाम”. Example के लिए हमारे case में ये है: localhost/shoutmehindi.
  10. अब आपके सामने WordPress का setup शुरू हो जायेगा. अब बस, इस setup के ज़रिये, आपने जो example WordPress blog अपने local PC पर बनाना हो, उस हिसाब से details enter कीजिये और proceed कीजिये.

जब आप WordPress की database information भरें तो इस डाटा का use कीजिये.

  • Database name : Database name you have created (WordPress)
  • Username : root
  • Password : Leave it blank
  • database host : Keep it default (Localhost)
  • Database prefix : Keep it default (wp_)

तो इस तरह आप आसानी से अपने local PC पर WordPress को install कर सकते हैं.

कुछ ज़रूरी चीज़ें ध्यान रखने के लिए:

  • जैसे किसी online साईट का WordPress URL ऐसा होता है, example.com बस local site में फरक इतना होगा कि आपका URL होगा, localhost/example.com
  • अगर आपको अपनी local WordPress साईट में login करना हो, तो इस URL पर जाईये, localhost/“आपके folder का नाम”/wp-login (किसी live साईट में ये ऐसा होता है: example.com/wp-login)
  • जब भी आप local साईट चलायें, आपका server online condition में हो.

हमने इस के बारे में एक video भी बनाई है जो हम YouTube पर जल्द ही upload करेंगे. ????