Security in PHP

Falcon · #21 (**permalink**) 03-21-2008, 02:41 AM

Hi Buddies

Numeric Data Validation
All data passed to PHP (GET/POST/COOKIE) ends up being a string. Using strings where integers are needed is not only inefficient but also dangerous.

Casting is a simple and very efficient way to ensure that variables contain numeric values.

Example of floating point number validation

PHP Code:

       if (!empty($_GET['price']))      {  

                $price = (float) $_GET['price'];

    }      else     $price = 0;

Regards
Falcon

Falcon · #22 (**permalink**) 03-21-2008, 03:31 AM

Hi Buddies

String Validation
PHP comes with a ctype, extension that offers a very quick mechanism for validating string content.

PHP Code:

  if (!ctype_alnum($_GET['login'])) {

        echo "Only A-Za-z0-9 are allowed.";

}

if (!ctype_alpha($_GET['captcha'])) {

        echo "Only A-Za-z are allowed.";

}

if (!ctype_xdigit($_GET['color'])) {

        echo "Only hexadecimal values are allowed";

}

Regards
Falcon

Falcon · #23 (**permalink**) 03-21-2008, 03:32 AM

Hi Buddies

Cross Site Scripting (XSS)
Cross Site Scripting (XSS) is a situation where by attacker injects HTML code, which is then displayed on the page without further validation.

Can lead to embarrassment
Session take-over
Password theft
User tracking by 3rd parties

Regards
Falcon

senraj · #24 (**permalink**) 03-21-2008, 05:04 AM

Hi,

Prevention of XSS is as simple as filtering input data via one of
the following:

htmlspecialchars()
Encodes ‘, “, <, >, &
htmlentities()
Convert anything that there is HTML entity for.
strip_tags()
Strips anything that resembles HTML tag.

Tag allowances in strip_tags() are dangerous, because attributes of those tags are not being validated in any way.

senraj · #25 (**permalink**) 03-21-2008, 05:05 AM

Hi,

Prevention of XSS

$str = strip_tags($_POST['message']);

// encode any foreign & special chars
$str = htmlentities($str);

// strip tags can be told to "keep" certain tags
$str = strip_tags($_POST['message'], '');

// tag allowance problems

Lot's of text

senraj · #26 (**permalink**) 03-21-2008, 06:31 AM

Hi,

SQL injection is similar to XSS, in the fact that not validated data
is being used. But in this case this data is passed to the database.

Arbitrary query execution
Removal of data.
Modification of existing values.
Denial of service.
Arbitrary data injection.

PHP Code:

  // consider this query, it will delete all records from users
$name = "ARUN"; 
DELETE FROM users;&#8221;;
mysql_query(&#8220;SELECT * FROM users WHERE name =’{$name}’”);

senraj · #27 (**permalink**) 03-21-2008, 06:32 AM

Hi,

If your database extension offers a specific escaping function then always use it; instead of other methods

MySQL
mysql_escape_string()
mysql_real_escape_string()
PostgreSQL
pg_escape_string()
pg_escape_bytea()
SQLite
sqlite_escape_string()

senraj · #28 (**permalink**) 03-21-2008, 06:34 AM

Hi,
Sql Escaping

PHP Code:

  // undo magic_quotes_gpc to avoid double 

    if (get_magic_quotes_gpc()) {

        $_GET['name'] = stripslashes($_GET['name'];

        $_POST['binary'] = stripslashes($_GET['binary']);

    }

 
    $name = pg_escape_string($_GET['name']);

    $binary = pg_escape_bytea($_POST['binary']);

 
    pg_query($db, "INSERT INTO tbl (name,image)

            VALUES('{$name}', '{$image}')");

senraj · #29 (**permalink**) 03-21-2008, 06:36 AM

Hi,

When un-quoted integers are passed to SQL queries, escaping functions won’t save you, since there are no special chars to escape.

http://example.com/db.php?id=0;DELETE%20FROM%20users

PHP Code:

  $id = sqlite_escape_string($_GET['id']);

// $id is still 0;DELETE FROM users

sqlite_query($db,"SELECT * FROM users WHERE id={$id}");

// Bye Bye user data...

senraj · #30 (**permalink**) 03-21-2008, 06:39 AM

Hi,

Security in PHP Prepared Statements

Prepared statements are a mechanism to secure and optimize execution of repeated queries.

Works by making SQL “compile” the query and then substitute in the changing values for each execution.
Increased performance, one compile vs one per query.
Better security, data is “type set” will never be evaluated as
separate query.
Supported by most database systems.

MySQL users will need to use version 4.1 or higher.
SQLite extension does not support this either.

senraj · #31 (**permalink**) 03-21-2008, 10:32 PM

Hi,

Security in PHP Prepared Statements

PHP Code:

  $data = "Here is some text to index";

pg_query($db, "PREPARE my_stmt (text) AS

INSERT INTO search_idx (word) VALUES($1)");

foreach (explode(" ", $data) as $word) 

{// no is escaping needed

pg_query($db, "EXECUTE my_stmt({$word})");

}

// de-allocte the prepared statement

pg_query($db, "DEALLOCATE my_stmt");

Unless explicitly removed, prepared statements “stay alive”
between persistent connections.

senraj · #32 (**permalink**) 03-21-2008, 10:34 PM

Hi,

Code Injection is the execution of arbitrary local or remote code.

The two of the most common sources of code injection are:
Dynamic paths/files used in require/include statements
eval(): A major source of code injection is the improper validation of eval().

senraj · #33 (**permalink**) 03-21-2008, 10:36 PM

Hi,

Avoid using dynamic or relative paths/files in your code. Although somewhat less convenient; always use full paths, defined by constants, which will prevent attacks like these:

PHP Code:

  //dynamic path

$_GET['path'] = ‘http://test_site.org’;

include "{$_GET['path']}/header.inc";

//dynamic file

$_GET[‘interface’] = ‘../../../../../etc/passwd’;

require‘home/mbr/profile/templates_c/interfaces/’.$_GET[‘interface’];

There are some other ways to secure include or require calls...

senraj · #34 (**permalink**) 03-21-2008, 10:37 PM

Hi,

work with a white-list of acceptable values.
//create an array of acceptable file names
$tmpl = array();

foreach(glob("templates/*.tmpl") as $v)
{
$tmpl[md5($v)] = $v;
}

if (isset($tmpl[$_GET['path']]))
{
$fp = fopen($tmpl[$_GET['path']], "r");
}

Falcon · #35 (**permalink**) 03-24-2008, 05:19 AM

Hi Buddies

Session Security

Sessions are a common tool for user tracking across a web site.
For the duration of a visit, the session is effectively the user’s identity.
If an active session can be obtained by 3rd party, it can assume the identity of the user who’s session was compromised.

Regards
Falcon

Falcon · #36 (**permalink**) 03-24-2008, 05:21 AM

Hi Buddies

Securing Session ID

To prevent session id theft, the id can be altered on every request, invalidating old values.

PHP Code:

  <?php

session_start();

if (!empty($_SESSION)) { // not a new session

session_regenerate_id(TRUE); // make new session id

}

?>

Because the session changes on every request, the “back” button in a browser will no longer work, as it will make a request with the old session id.

Regards
Falcon

Falcon · #37 (**permalink**) 03-24-2008, 05:22 AM

Hi Buddies

Session Validation

Another session security technique is to compare the browser signature headers.

PHP Code:

  session_start();

$chk = @md5(

$_SERVER['HTTP_ACCEPT_CHARSET'] .

$_SERVER['HTTP_ACCEPT_ENCODING'] .

$_SERVER['HTTP_ACCEPT_LANGUAGE'] .

$_SERVER['HTTP_USER_AGENT']);

if (empty($_SESSION))

            $_SESSION['key'] = $chk;

else if ($_SESSION['key'] != $chk)

            session_destroy();

Regards
Falcon

Falcon · #38 (**permalink**) 03-24-2008, 05:25 AM

Hi Buddies

Safer Session Storage

By default PHP sessions are stored as files inside the common /tmp directory.
This often means any user on the system could see active sessions and “acquire” them or even modify their content.
Solutions?

Separate session storage directory via

session.save_path

Database storage mechanism, mysql, pgsql, oci, sqlite.

Custom session handler allowing data storage anywhere.

Regards
Falcon

senraj · #39 (**permalink**) 03-24-2008, 08:21 AM

Hi,

Shared Hosting

Most PHP applications run in shared environments where all
users “share” the same web server instances.
This means that all files that are involved in serving content must
be accessible to the web server (world readable).
Consequently it means that any user could read the content of files of all other users.

senraj · #40 (**permalink**) 03-24-2008, 08:22 AM

Hi,

The PHP Solution

PHP’s solution to this problem are 2 php.ini directives.
open_basedir – limits file access to one or more specified directories.
1. Relatively Efficient.
2. Uncomplicated.
safe_mode – limits file access based on uid/gid of running script
and file to be accessed.
1. Slow and complex approach.
2. Can be bypassed with little effort.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post