Kemanan Bahasa Pemrograman PHP

Banyak sekali hal yang harus diperhatikan oleh seorang programmer web, khusunya programmer PHP untuk membuat sebuah aplikasi atau website yang baik. Salah satu faktor penting yang harus diperhatikan namun kadang diabaikan yaitu masalah securityatau keamanan.

Tidak mudah untuk membuat aplikasi website yang bebas celah dan bebas serangan peretas, karena seperti yang kita ketahui bersama bahwa “tidak ada sistem yang sempurna”. Meskipun begitu, bukan berarti masalah keamana bisa diabaikan, setidaknya sang programmer bisa meminimalisir hal-hal yang bisa membahayakan apa yang telah dibuatnya.

Berikut ini adalah 100 poin yang setidaknya harus dilakukan oleh seorang programmer untuk membuat aplikasi yang aman / secure, meskipun ini tidak membuat 100% aman.


Berikut ini adalah hal-hal dasar seputar keamanan yang harus diperhatikan ketika membuat web / aplikasi dengan PHP

  • Strong passwords are used.
  • Passwords stored safely.
  • register_globals is disabled.
  • Magic_quotes is disabled.
  • display_errors is disabled.
  • Server(s) are physically secured.


Ketika website atau aplikasi yang dibuat melibatkan form untuk menginput data, maka harus memperhatikan hal-hal berikut ini agar segala sesuatunya aman.

  • Input form $_GET$_POST$_COOKIE and $_REQUEST is considerend tainted.
  • Understood that only some values in $_SERVER and $_ENV are untainted.
  • $_SERVER['PHP_SELF'] is used where used.
  • Input data is validated.
  • \o (null) is discardedin input.
  • Length of input is bounded.
  • Email addresses are validated.
  • Application is aware of small, very large, zor and negative numbers. Sci. notation too.
  • Application checks for invisible, look-alike, and combining characters.
  • Unicode control characters stripped out when required.
  • Output data is sanitized.
  • User-inputted HTML is sanitized with HTMLPurifier.
  • User-inputted CSS is sanitized using a white-list
    • Abusable properties (margin, position, etc.) are handled.
    • CSS escape sequences are handled.
    • Javascript in CSS is discarded (expressions, behaviors, bindings.)
  • URLs are sanitized and unknown and unwanted protocols are disallowed.
  • Embedded plugin files (Flash Movies) are embedded in a manner so that only the intended plugin is loaded.
  • The application uses a safe encoding.
    • An encoding is specified using a HTTP header.
    • Inputted data is verified to be valid for your selected encoding if using an unsafe encoding.

File Uploads.

Ketika website yang dibuat dengan PHP melibatkan gambar atau file yang akan di input, maka agar aman perlu diperhatikan hal-hal berikut.

  • Application verifies file type.
    • User provided mime type value is ignored.
    • Application analyzes the content of files to determinie their type.
    • It is understood that a perfectly valid file can still contain arbritrary data.
  • Application checks the file size of uploaded files.
    • MAX_FILE_SIZE is not depended upon.
    • File uploads cannot “overtake” avaible space.
  • Content is checked for malicious content.
    • Application uses a malware scanner (if req.).
    • Uploaded HTML files are displayed securely.
  • Uploaded files are not moved to a web-accessisble directory.
  • Extensive path checks are used when serving files.
  • Uploaded files are not served with include().
  • Uploaded files are served as an attachment using the Content-Disposition header.
  • Application sends the X-Content-Type-Options: nosniff header.
  • Files are not not served as: (Unless necessary)
    • "application/octet-stream"
    • "application/unknown"
    • "plain/text"


Database merupakan sasaran utama para peretas, karena pada bagian inilah informasi penting tersimpan, untuk itu ketika website melibatkan database, perhatikan hal berikut.

  • Data inserted into the database is properly escaped or parameter/prepared statements are used.
    • addslashes() is not used.
  • Application does not have more privileges to the database then necessary.
  • Remote connections are disabled if they are unnecessary.

Serving files

Ketika website melayani servis file, maka perhatikan hal-hal berikut agar website aman dari orang yang tidak berhak mengakses.

  • User input is not directly used in a pathname.
    • Directory traversal is prevented.
    • Null (\o) in paths are filtered.
    • Application is aware of “:”
    • PHP streams are filtered.
  • Access to files is not restricted by hiding the files.
  • Remote files not included with include().


Ketika aplikasi atau web membutuhkan halaman yang hanya boleh diakses oleh orang tertentu yang bisa dipercaya, maka perlu proses authentication yang ketat, berikut poin-poin nya.

  • Bad password throttling.
    • CAPTCHA is used.
  • SSL used to prevent MITM.
  • Passwords are not stored in a cookie.
  • are hashed.
    • Per-user salts are used.
    • bcrypt() is used with sufficient number of rounds.
    • MD5 is not used.
  • Users are warned about obvious password recovery questions.
  • Account recovery forms do not reveal email existence.
  • Pages that send emails are throttled.


Session biasanya digunakan untuk mengatur apakah seseorang boleh untuk mengakses halaman tertentu atau tidak, session juga di gunakan untuk menyimpan data-data penting yang diperlukan oleh website, jadi perlu diamankan dengan memperhatikan hal berikut.

  • Sessions only use cookies. (session.use_use_only_cookies).
  • On logout session data is destroyed.
  • Session is recreated on authorization level change.
  • Sites on the same server use different session storage dirs.


Bantuan pihak ketiga yang perlu juga untuk diperhatikan oleh programmer PHP adalah berikut ini.

  • issues are prevented with tokens/keys.
    • Referrers are not relied upon.
    • Pages that perform action use POST.
    • Important Pages (logout, etc.) are protected.
  • Your pages are not written in a way (i.e. JSON, JS-like) where they can be included and read on a remote website successfully.
  • Aware that Flash can bypass referrer checks to load images and sound files.
  • The following things will not reveal significant information if included remotely:
    • Images.
    • Pages that take a longer time to load.
    • CSS files.
    • Existence or ordening of frames.
    • Existence of a JS variable.
    • Detected visit of a URL.
  • Inclusion of your website in an inline frame with JS disabled does not reveal a threat.
  • Application uses frame bursting code and sends the X-Frame-Options header.


Hal-hal umum lain yang perlu untuk diperhatikan terkait pembuatan website dan aplikasi berbasis PHP

  • A crypthographically secure PRNG is used for secret randomly-generated IDs (activation links, secret IDs? etc.).
    • Suhosin is installed or you are not using rand() for this.
  • Anything that consumes a lot of resources should be throttled and limited.
    • Pages that use 3th-party APIs are throttled.
  • You did not create your own encryption algorithm.
  • Arguments to external programs (i.e. exec()) are validated.
  • Generic internal and external redirect pages are secured.
  • Precautions taken against the source code of you PHP pages being shown due to misconfiguration.
  • Configuration and critical files are not in a web-accessible directory.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s