Security in PHP

Jeyaseelansarc · #81 (**permalink**) 04-01-2008, 07:50 AM

The PHP safe mode is an attempt to solve the shared-server security problem. It is architecturally incorrect to try to solve this problem at the PHP level, but since the alternatives at the web server and OS levels aren't very realistic, many people, especially ISP's, use safe mode for now.

Jeyaseelansarc · #82 (**permalink**) 04-01-2008, 07:52 AM

Quote:

Originally Posted by Jeyaseelansarc

When safe_mode is on, PHP checks to see if the owner of the current script matches the owner of the file to be operated on by a file function or its directory.

For example:

Code:

-rw-rw-r--    1 rasmus   rasmus       33 Jul  1 19:20 script.php 
-rw-r--r--    1 root     root       1116 May 26 18:01 /etc/passwd

Running this script.php

PHP Code:

  <?php

 readfile('/etc/passwd'); 

?>

Jeyaseelansarc · #83 (**permalink**) 04-01-2008, 07:53 AM

results in this error when safe mode is enabled:

Code:

Warning: SAFE MODE Restriction in effect. The script whose uid is 500 is not 
allowed to access /etc/passwd owned by uid 0 in /docroot/script.php on line 2

Jeyaseelansarc · #84 (**permalink**) 04-01-2008, 07:54 AM

However, there may be environments where a strict UID check is not appropriate and a relaxed GID check is sufficient. This is supported by means of the safe_mode_gid switch. Setting it to On performs the relaxed GID checking, setting it to Off (the default) performs UID checking.

Jeyaseelansarc · #85 (**permalink**) 04-01-2008, 07:54 AM

If instead of safe_mode, you set an open_basedir directory then all file operations will be limited to files under the specified directory. For example (Apache httpd.conf example):

Code:

<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>

Jeyaseelansarc · #86 (**permalink**) 04-03-2008, 02:25 AM

If you run the same script.php with this open_basedir setting then this is the result:

Code:

Warning: open_basedir restriction in effect. File is in wrong directory in 
/docroot/script.php on line 2

Jeyaseelansarc · #87 (**permalink**) 04-03-2008, 02:26 AM

You can also disable individual functions. Note that the disable_functions directive can not be used outside of the php.ini file which means that you cannot disable functions on a per-virtualhost or per-directory basis in your httpd.conf file. If we add this to our php.ini file:

Code:

disable_functions readfile,system

Jeyaseelansarc · #88 (**permalink**) 04-03-2008, 02:28 AM

Quote:

Originally Posted by Jeyaseelansarc

If instead of safe_mode, you set an open_basedir directory then all file operations will be limited to files under the specified directory. For example (Apache httpd.conf example):

Code:

<Directory /docroot>
  php_admin_value open_basedir /docroot 
</Directory>

In this open_basedir() described as

Limit the files that can be opened by PHP to the specified directory-tree, including the file itself. This directive is NOT affected by whether Safe Mode is turned On or Off.

When a script tries to open a file with, for example, fopen() or gzopen(), the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to open it. All symbolic links are resolved, so it's not possible to avoid this restriction with a symlink.

The special value . indicates that the working directory of the script will be used as the base-directory. This is, however, a little dangerous as the working directory of the script can easily be changed with chdir().

In httpd.conf, open_basedir can be turned off (e.g. for some virtual hosts) the same way as any other configuration directive with "php_admin_value open_basedir none".

Under Windows, separate the directories with a semicolon. On all other systems, separate the directories with a colon. As an Apache module, open_basedir paths from parent directories are now automatically inherited.

The restriction specified with open_basedir is actually a prefix, not a directory name. This means that "open_basedir = /dir/incl" also allows access to "/dir/include" and "/dir/incls" if they exist. When you want to restrict access to only the specified directory, end with a slash. For example: "open_basedir = /dir/incl/"

Jeyaseelansarc · #89 (**permalink**) 04-03-2008, 02:30 AM

hi,
is it good to use command-line call of PHP scripts?

Jeyaseelansarc · #90 (**permalink**) 04-03-2008, 11:41 PM

Hi,
How do i protect my pages from the crackers?

Jeyaseelansarc · #91 (**permalink**) 04-05-2008, 12:48 AM

Hi,
I think captch will help to secure from the cracker

Jeyaseelansarc · #92 (**permalink**) 04-07-2008, 07:17 AM

For more information on Captcha

go the below link
http://www.discussweb.com/php-progra...t-captcha.html
http://www.discussweb.com/php-progra...php-error.html

Jeyaseelansarc · #93 (**permalink**) 04-07-2008, 07:19 AM

Captcha which contain security codes used for protecting a form from spam bots. By encoding a 'password' inside an image and asking the user to re-enter what they see you can verify the user is a human and not automated software submitting your form. Why not try out the following form with valid and invalid codes to see how it works.

Jeyaseelansarc · #94 (**permalink**) 04-07-2008, 07:20 AM

Here is the sample script for captcha

PHP Code:

  <?

class CaptchaSecurityImages {

 

   var $font = 'monofont.ttf';

 

   function generateCode($characters) {

      /* list all possible characters, similar looking characters and vowels have been removed */

      $possible = '23456789bcdfghjkmnpqrstvwxyz';

      $code = '';

      $i = 0;

      while ($i < $characters) { 

         $code .= substr($possible, mt_rand(0, strlen($possible)-1), 1);

         $i++;

      }

      return $code;

   }

 

   function CaptchaSecurityImages($width='120',$height='40',$characters='6') {

      $code = $this->generateCode($characters);

      /* font size will be 75% of the image height */

      $font_size = $height * 0.75;

      $image = imagecreate($width, $height) or die('Cannot initialize new GD image stream');

      /* set the colours */

      $background_color = imagecolorallocate($image, 255, 255, 255);

      $text_color = imagecolorallocate($image, 20, 40, 100);

      $noise_color = imagecolorallocate($image, 100, 120, 180);

      /* generate random dots in background */

      for( $i=0; $i<($width*$height)/3; $i++ ) {

         imagefilledellipse($image, mt_rand(0,$width), mt_rand(0,$height), 1, 1, $noise_color);

      }

      /* generate random lines in background */

      for( $i=0; $i<($width*$height)/150; $i++ ) {

         imageline($image, mt_rand(0,$width), mt_rand(0,$height), mt_rand(0,$width), mt_rand(0,$height), $noise_color);

      }

      /* create textbox and add text */

      $textbox = imagettfbbox($font_size, 0, $this->font, $code) or die('Error in imagettfbbox function');

      $x = ($width - $textbox[4])/2;

      $y = ($height - $textbox[5])/2;

      imagettftext($image, $font_size, 0, $x, $y, $text_color, $this->font , $code) or die('Error in imagettftext function');

      /* output captcha image to browser */

      header('Content-Type: image/jpeg');

      imagejpeg($image);

      imagedestroy($image);

      $_SESSION['security_code'] = $code;

   }

 

}

 

$width = isset($_GET['width']) && $_GET['height'] < 600 ? $_GET['width'] : '120';

$height = isset($_GET['height']) && $_GET['height'] < 200 ? $_GET['height'] : '40';

$characters = isset($_GET['characters']) && $_GET['characters'] > 2 ? $_GET['characters'] : '6';

 

$captcha = new CaptchaSecurityImages($width,$height,$characters);

 

?>

Jeyaseelansarc · #95 (**permalink**) 04-08-2008, 07:30 AM

Data Filtering
As stated previously, data filtering is the cornerstone of web application security, and this is independent of programming language or platform. It involves the mechanism by which you determine the validity of data that is entering and exiting the application, and a good software design can help developers to:

* Ensure that data filtering cannot be bypassed,
* Ensure that invalid data cannot be mistaken for valid data, and
* Identify the origin of data.

Opinions about how to ensure that data filtering cannot be bypassed vary, but there are two general approaches that seem to be the most common, and both of these provide a sufficient level of assurance.

Jeyaseelansarc · #96 (**permalink**) 04-08-2008, 07:32 AM

The Dispatch Method

One method is to have a single PHP script available directly from the web (via URL). Everything else is a module included
with include or require as needed. This method usually requires that a GET variable be passed along with every URL,
identifying the task. This GET variable can be considered the replacement for the script name that would be used in a more
simplistic design. For example:

Code:

http://example.org/dispatch.php?task=print_form

The file dispatch.php is the only file within document root. This allows a developer to do two important things:

* Implement some global security measures at the top of dispatch.php and be assured that these measures cannot
be bypassed.
* Easily see that data filtering takes place when necessary, by focusing on the control flow of a specific task.

Jeyaseelansarc · #97 (**permalink**) 04-08-2008, 07:33 AM

To further explain this, consider the following example dispatch.php script:

PHP Code:

  <?php

/* Global security measures */

switch ($_GET['task'])

{

case 'print_form':

include '/inc/presentation/form.inc';

break;

case 'process_form':

$form_valid = false;

include '/inc/logic/process.inc';

if ($form_valid)

{

include '/inc/presentation/end.inc';

}

else

{

include '/inc/presentation/form.inc';

}

break;

default:

include '/inc/presentation/index.inc';

break;

}

?>

Jeyaseelansarc · #98 (**permalink**) 04-08-2008, 07:34 AM

If this is the only public PHP script, then it should be clear that the design of this application ensures that any global security measures taken at the top cannot be bypassed. It also lets a developer easily see the control flow for a specific task. For example, instead of glancing through a lot of code, it is easy to see that end.inc is only displayed to a user when $form_valid is true, and because it is initialized as false just before process.inc is included, it is clear that the logic within process.inc must set it to true, otherwise the form is displayed again (presumably with appropriate error messages).