Common Sensitive Data Protection Issues in PHP Applications and Their Mitigation

Many PHP projects fail to properly protect sensitive data such as credit‑card numbers, user IDs, and authentication tokens, leaving them vulnerable to theft, tampering, and server compromise. The article enumerates the main shortcomings and offers concrete mitigation steps.

1. Unencrypted storage : Passwords, ID numbers, and credit‑card details are often saved in databases in clear text.

2. Plain‑text transmission : User credentials are sent from the browser to the server without any hashing or encryption.

3. Weak cryptographic algorithms : Some applications rely only on simple MD5 hashing, which is insufficient for protecting secrets.

Login password leakage : Without a digital digest or TLS, intercepted traffic can reveal passwords in clear text. Encrypt credentials before transmission.

Login information leakage : Absence of SSL allows attackers to capture session cookies and perform replay attacks. Use SSL/TLS and add a nonce to each authentication request.

Resource traversal leakage : Sequential numeric IDs (e.g., user ID, order ID) combined with inadequate access control enable attackers to enumerate resources. Use non‑sequential identifiers or UUIDs.

Physical path leakage : Improper error handling can expose the server’s file system paths, facilitating local file inclusion attacks. Disable PHP error display and return generic error pages.

Example to disable error output in php.ini :

<?php
# php.ini
error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT // error types
display_errors = off // disable error display
display_startup_errors = off // disable startup errors

Or disable errors at runtime:

<?php
ini_set('display_errors', false); // turn off error display
ini_set('error_reporting', E_ALL & ~E_NOTICE & ~E_WARNING); // set log level

Version disclosure : Error messages or default server headers may reveal PHP, Apache, or Nginx versions, giving attackers clues for exploits. Hide version information:

# http.conf
ServerTokens Prod
ServerSignature off

expose_php = Off   # disable PHP version header

# nginx.conf
server_tokens off;

JSON hijacking : Unauthenticated JSON endpoints can be abused to steal user data (e.g., QQ Mail case). Restrict cross‑origin requests, validate referer headers, and require tokens for sensitive data.

Source code leakage : Misconfigured file permissions or exposed backup files (.git, .svn, .bak, .zip, etc.) allow attackers to download source code. Regularly audit web‑accessible directories and remove such files.

Typical file extensions to watch for and delete from publicly reachable paths include: .git, .svn, .bak, .rar, .zip, .7z, .tar.gz, .swp, .txt, .html.