Welcome! Guest

Login / Sign Up for wider access

Website
Ecommerce
SEO
Security
  • PHP Security Blunders

¤ Home » Security » PHP Security Blunders

PHP Security Blunders

PHP is the ideal programming language for developing dynamic websites and web based applications. It is an easy to learn language and has many convenient syntax rules and functions. However, like any programming language, PHP too is not free from security loopholes. Hence, while developing websites and web applications in PHP, a developer needs to take a little extra care to build secure applications. Once some important security aspects are taken care, you can build very secure applications in PHP.

This article deals with some of the common PHP programming mistakes that can result in security flaws. We will attempt to demonstrate how each flaw is exploited causing security vulnerabilities. Avoiding such mistakes can indeed help build secure applications.


Unvalidated Input Errors

A common PHP security flaw is the unvalidated input error. Data provided in online forms by users and website visitors simply cannot be trusted. There is a good number of people sitting out there on the internet who have no other job than to keep attempting to damage others work. Unvalidated or improperly validated input is one of the root causes of many of the exploits.

As an example, you might write the following code to allow a user to view a calendar that displays a specified month by calling the UNIX cal command.

$month = $_GET['month']; 
$year = $_GET['year']; 
exec("cal $month $year", $result); 
foreach($result as $r) print "$r";

This code has a gaping security hole, since the $_GET[month] and $_GET[year] variables are not validated in any way. The application works perfectly, as long as the specified month is a number between 1 and 12, and the year is provided as a proper four-digit year. However, a malicious user might append ";ls -la" to the year value and thereby see a listing of your Website's html directory. An extremely malicious user could append ";rm -rf *" to the year value and delete your entire Website.

The proper way to correct this is to ensure that the input you receive from the user is what you expect it to be. Do not use JavaScript validation for this; such validation methods are easily worked around by an exploiter who creates their own form or disables javascript. You need to add PHP code to ensure that the month and year inputs are digits and only digits, as shown below.

$month = $_GET['month']; 
$year = $_GET['year']; 
if (!preg_match("/^[0-9]{1,2}$/", $month)) die("Bad month, please re-enter."); 
if (!preg_match("/^[0-9]{4}$/", $year)) die("Bad year, please re-enter."); 
exec("cal $month $year", $result); 
foreach ($result as $r) print "$r";

This code can safely be used without concern that a user could provide input that would compromise your application, or the server running it. Regular expressions are a great tool for input validation. They can be difficult to grasp, but are extremely useful in this type of situation. You should always validate your user-provided data by rejecting anything other than the expected data. Never use the approach that you'll accept anything except data you know to be harmful -- this is a common source of security flaws. Sometimes, malicious users can get around this methodology, for example, by including bad input but obscuring it with null characters. Such input would pass your checks, but could still have a harmful effect.

You should be as restrictive as possible when you validate any input. If some characters don't need to be included, you should probably either strip them out, or reject the input completely.

A better approach would be to simply not use any of such vulnerable PHP functions. Given below is a list of vulnerable PHP functions which can be simply disabled with an entry in php.ini file.

exec, system, passthru, readfile, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, ini_alter, dl, popen, parse_ini_file, show_source

Your entry in php.ini file should be as shown below:

disable_functions="exec, system, passthru, readfile, shell_exec, escapeshellarg, escapeshellcmd, proc_close, proc_open, ini_alter, dl, popen, parse_ini_file, show_source"


Access Control Flaws

The access control vulnerability can be induced in websites developed in any programming language, not necessarily PHP alone. Any web site or web application makes use of several commonly includes files that may contain your own functions, classes, and configuration parameters. Some of the configuration files may even contain vulnerable data such as your database access password. Such commonly included files should be kept under directories that have restricted access for the world.

You can place all such vulnerable files, which are not directly accessed by URL, in a separate directory and protect this directory with a suitable .htaccess file. The .htaccess file should have an entry deny from all

Place the configuration files outside your Web-accessible directory to further strengthen your application. Use the PHP include function to include these files in your publicly accessible web page files. Always include using absolute path. Disable URL Include

The following entries in your php.ini file will disable url include:

allow_url_fopen = Off
allow_url_include = Off

Given below is a recommended directory structure. All function libraries, classes and configuration files can be kept in an includes directory. Always name these include files with a .php extension, so that even if all your protection is bypassed, the web server will parse the PHP code, and will not display it to the user. The public_html directory and all directories and sub-directories under it are the only directories whose files can be accessed directly by a URL.

/home 
 /website_base_directory 
   /public_html 
      .htaccess
      index.php 
      page1.php
      page2.php
      /images
         index.php
         img1.gif
         img2.gif
         img3.gif
  /includes 
     .htaccess 
      common_functions.php 
      config.php 
      /classes
         class1.php
         class2.php 
         class3.php
         class4.php

You should set your Apache directory indexes to index.php, and keep an index.php file in every directory that is accessible by URL. Set it to redirect to your main page if the directory should not be browse-able, such as an images directory or similar.


Accidental exposure of PHP Source Code

Developers often have a tendency to save a copy of the old PHP files with a .bak or .old or .php_old extension, every time they make some major changes to the code. This can expose your backed up code.

Never make a backup of a php file in your web-exposed directory by adding an extension to the filename other than .php. Depending on the web server you use, the PHP code in the file will not be parsed by the web server, and may be output as a source to a user who stumbles upon a URL to the backup file. If that file contained passwords or other sensitive information, that information would be readable. It could even end up being indexed by Google if the spider stumbled upon it. Renaming files to have a .bak.php extension is safer.



Copyright © ctsindia.com   All rights reserved   Disclaimer | Privacy Policy  
Home | Website Builder | Website Solution | Help Center | TOS | Payment Options | Reseller | Recommend Us | Links | Sitemap
Domain | Linux Hosting | Windows Hosting | Email Hosting | Reseller Hosting | eCommerce Hosting | Website | SSL Certs.