Example to emulate register_globals On

__________________
With,
J. Jeyaseelan
Everything Possible

Example to emulate register_globals Off

This code should be called in the very beginning of your script.

__________________
With,
J. Jeyaseelan
Everything Possible

The greatest weakness in many PHP programs is not inherent in the language itself, but merely an issue of code not being written with security in mind. For this reason, you should always take the time to consider the implications of a given piece of code, to ascertain the possible damage if an unexpected variable is submitted to it.

__________________
With,
J. Jeyaseelan
Everything Possible

You should always carefully examine your code to make sure that any variables being submitted from a web browser are being properly checked, and ask yourself the following questions:

* Will this script only affect the intended files?

* Can unusual or undesirable data be acted upon?

* Can this script be used in unintended ways?

* Can this be used in conjunction with other scripts in a negative manner?

* Will any transactions be adequately logged?

__________________
With,
J. Jeyaseelan
Everything Possible

By starting out with this mindset, you won't guarantee the security of your system, but you can help improve it.

You may also want to consider turning off register_globals, magic_quotes, or other convenience settings which may confuse you as to the validity, source, or value of a given variable. Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon)

__________________
With,
J. Jeyaseelan
Everything Possible

In general, security by obscurity is one of the weakest forms of security. But in some cases, every little bit of extra security is desirable.

A few simple techniques can help to hide PHP, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php = off in your php.ini file, you reduce the amount of information available to them.

__________________
With,
J. Jeyaseelan
Everything Possible

Another tactic is to configure web servers such as apache to parse different filetypes through PHP, either with an .htaccess directive, or in the apache configuration file itself.

__________________
With,
J. Jeyaseelan
Everything Possible

To hide PHP as another language

__________________
With,
J. Jeyaseelan
Everything Possible

Using unknown types for PHP extensions

__________________
With,
J. Jeyaseelan
Everything Possible

hide it as HTML code, which has a slight performance hit because all HTML will be parsed through the PHP engine:

__________________
With,
J. Jeyaseelan
Everything Possible

For the above to work effectively, you must rename your PHP files with the above extensions. While it is a form of security through obscurity, it's a minor preventative measure with few drawbacks.

__________________
With,
J. Jeyaseelan
Everything Possible

PHP, like any other large system, is under constant scrutiny and improvement. Each new version will often include both major and minor changes to enhance security and repair any flaws, configuration mishaps, and other issues that will affect the overall security and stability of your system.

Like other system-level scripting languages and programs, the best approach is to update often, and maintain awareness of the latest versions and their changes.

__________________
With,
J. Jeyaseelan
Everything Possible

drawbacks of security in php?

__________________
Thanks
Regards
Sureshbabu Harikrishnan
+91 9884320017

Hi,

Spoofed Form Input

It's important to remember that input sent to your script may not have been sent from the form you created. This means that, although you might have data in checkboxes, radio buttons, selects or other "read-only" elements, they might contain values that were never in the elements you created and thus need filtering just like inputs and textareas.

This also means that you cannot rely soley on client-side validation. Whilst it's nice to have errors pointed out to the user without having to reload a page (and possibly lose all of their input), using client-side validation as a security measure is not sensible. Make sure you check all input server-side, in your PHP scripts, before you do anything like insert it into a database.

__________________
Regards,
Senraj.A

Hi,

File Uploads

File uploads are potentially the biggest security risk in web development. Allowing a third-party to place files on your server could allow them to delete your files, empty your database, gain user details and much more.

However, it's certainly possible to upload files safely, and such functionality can be a great feature of your site.

When allowing users to upload files from their local machine to your server, there are two things that you need to check. The first is the mime-type of the uploaded file; if your script is uploading images, for example, you'll want to just accept image/png, image/jpeg, image/gif, image/x-png and image/p-jpeg. You can do so as follows:

$validMimes = array(
'image/png',
'image/x-png',
'image/gif',
'image/jpeg',
'image/pjpeg'
);

$image = $_FILES['image'];

if(!in_array($image['type'], $validMimes)) {
die('Sorry, but the file type you tried to upload is invalid; only images are allowed.');
}

// Do something with the uploaded file.

__________________
Regards,
Senraj.A

Hi,

File Uploads

The second thing to check is the file extension. It's certainly possible to spoof a mime-type; one vector is to take an image, insert PHP code into the sections the file format allows for meta data, give it a .php extension, and upload it. In this case, your mime-checking would think the file was an image, upload it, and allow execution of the PHP code within.

To avoid this, you should manually assign files an extension based on their mime-type. We could extend our above example to take this into account:

$validMimes = array(
'image/png' => '.png',
'image/x-png' => '.png',
'image/gif' => '.gif',
'image/jpeg' => '.jpg',
'image/pjpeg' => '.jpg'
);

$image = $_FILES['image'];

if(!array_key_exists($image['type'], $validMimes)) {
die('Sorry, but the file type you tried to upload is invalid; only images are allowed.');
}

// Get the filename minus the file extension:
$filename = substr($image['name'], 0, strrpos($image['name'], '.'));

// Append the appropriate extension
$filename .= $validMimes[$image['type']];

// Do something with the uploaded file

You can see how the above attack is avoided; if the image containing the PHP code was called foo.php and was a PNG, it would would be renamed to foo.png and the code would not be executed.

__________________
Regards,
Senraj.A

Generally the system wants to give as a secure from the crackers. As we have discussed in this thread, security is most required things for any body.

This is the drawback to the crackers

__________________
With,
J. Jeyaseelan
Everything Possible

Magic Quotes is a process that automagically escapes incoming data to the PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime,

__________________
With,
J. Jeyaseelan
Everything Possible

if you want to know more on Magic Quotes

http://www.discussweb.com/php-progra...uotes-php.html

__________________
With,
J. Jeyaseelan
Everything Possible

When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory.

__________________
With,
J. Jeyaseelan
Everything Possible