14 Jan 10 PHP Security

As a PHP programmer, there are a couple of things you can do quickly and easily to increase the security of your PHP code installation.

Look into PHP’s “safe mode” feature, ESPECIALLY if you’re running a webserver that takes the general public can upload scripts to. Here you’ll find a list of the functions disabled or restricted by safe mode. It is not strictly PHP’s job to restrict these types of functions, however unless you really know what you’re doing, the list of functions restricted by safemode is a good starting point for building secure applications. These are generally functions that allow file and directory manipulation, and socket manipulation. If it’s not possible within your environment to disable them all, disable as many of these functions as possible.

Although not that common, if I’m writing an application that heavily relies on functions that manipulate directories or sockets, I’ll prefer to create a C daemon or similar to handle this side of things and simply use PHP to communicate with it.
Within your code, do not ever assume any type of input given by a user or with the possibility of being manipulated by a user is safe. Take the following example:

readfile.php?file=…
<?php
$fh = fopen($_GET['file'], “r”);
…
?>

The attacker can specify ?file=/etc/passwd or anything else for that matter readable by the web user. Instead:

readfile.php?file_id=1
<?php
switch($_GET['file_id'])
{
case “1″:
$filename=”/tmp/myfile”;
…
}

Next, make sure register_globals is turned OFF in PHP’s config file. In all newer versions of PHP this is already done. register_globals automatically creates a variable called $username from a page called with page.php?username=adam. With register_globals off, this is only accessible via $_GET['username'] or $_REQUEST['username'].

This means that I could call page.php?user_id=1&username=admin. Your code should accomodate register_globals being turned on, and automatically check for this kind of variable poisoning however this is often overlooked.

Magic Quotes is a depreciated feature of PHP helping beginners write more secure code. All incoming input would automatically have the quotes escaped thus preventing SQL Injection. More advanced users that know what they’re doing can find this annoying, as it is not strictly PHP’s job to interfere with the input variables like this. Instead you should escape all input yourself with addslashes() or mysql_real_escape_string()

PHP error reporting is another important issue to consider. By default, any warnings and errors are printed out to the user. This often gives away directory paths, filenames, variables and all sorts of other information about the server and the script that should not be printed out to an anonymous user. Turn off error reporting to the screen and instead dump any errors to a log file an perhaps trigger an email to an admin.

These are just a few basic things to keep in mind to get started. User input can come in a variety of formats, and not just via the variables $_GET, $_SESSION, etc, etc. XSS (Cross Site Scripting) is another common attack method and something that will be covered in future articles.

Tags: cross site scripting, directory, error reporting, magic quotes, MySQL, mysql_real_escape_string, PHP, php security, safe mode, socket, sql injection, xss

Leave a Comment

Name (required)

Mail (will not be published) (required)

Website