Site Moved

This site has been moved to a new location - Bin-Blog. All new post will appear at the new location.

Bin-Blog

PHP Security

A few days ago I read an article on PHP Security on ILoveJackDaniels.com. I could not even begin to stress the importance of the concepts said there. Some of the major points said there are...

Don't give any files the extension '.inc'.

Some people will give the files that are included this extension - as in...
include('./connect.inc');//Connect to the database.
and include this line in every file of the page. The programmer must use the username amd password of the database connection in this file. The problem is that if any user will type the direct address to file in the browser, he can see the username and password. Like this - http://www.example.com/connect.inc. But if the extension is '.php' this big security threat can avoided - as the server will parse the file before showing it. If you make a small search in google to find how many people are affected by this, you will be surprised - as I was.

SQL Injection

Please do a 'addslashes()' on the data comming from the user. If you ignore this you will be vulnurable to a hack attempt called SQL Injection. This happens when the visitor inputs a SQL query as the form data and you code executes it.

For example, consider the authentication code

mysql_query("SELECT * FROM table WHERE username='$_REQUEST[user]' AND password='$_REQUEST[pass]'");
Any person can run an sql query on this code. Just input the following as the username...
' OR 1=1;#
This will cause the query to by
mysql_query("SELECT * FROM table WHERE username='' OR 1=1;#' AND password=''");
See what happens? The query gets executed! Now if this a malacious guy, he will not stop there. He will try something like...
'; DROP * FROM table;#

Many more...

There are a lot more things to watch out for - read the article to know more about them. It is a three part article and read atleast the first two sections. I would recommend that you read all three sections - if you are really serious about PHP programming.

phpInfo()

A point that the author has missed is the threat by the phpInfo() function. I often make a file with this funtion at the begining of the project to see the server info. Some time I neglect to delete this file. I don't have to say what kind of damage a hacker can do with the kind of data given in the phpInfo() function. So, if you make a phpInfo() file, please don't forget to delete it.

2 Comments:

Anonymous said...

Why address a symptom instead of the root cause of the problem? Using .inc as a file extension for includes is a good practice that makes a lot of sense. The mistake is when you keep includes within document root, which is an unnecessary risk. That's a public directory. See the beginning of this section in the PHP Security Guide:

http://phpsec.org/projects/guide/3.html

Concerning SQL injection, you need to escape output, not input. Also, use an escaping function native to your database, defaulting to addslashes() only when there is no better alternative.

Anonymous said...

This doesn't even cover the basics of php security. What about topics like xsl prevention, the evils of registerglobals,...