PHP Security

When I started seeing spam messages posted to the new column annotation system, I knew I would have to create some sort of user authentication system that helps weed out the losers. I m the type that would rather write an entire library myself than try to learn something like PHPLib or other similar libraries. The library needed to handle registration, confirmation emails, account updates (passwords, emails) among other things. It also needed to...

Many applications in the field of Web development need to validate email addresses. While this can be done in a variety of ways, one simple but effective way involves writing your own functions in PHP. Alejandro Gervasio explains this approach.

The problem Just today (1999/04/29), someone asked in the PHPBuilder discussion boards if there was a way to generate random but pronounceable passwords. I guess something like the ubiquitous passwords you find in each of the AOL CD-ROMs that litter our mailboxes :) In this article we will show how to do just that, with the constrains that we do not want to have number containing words in your output, and that we want to be able to specify the le...

With more and more e-commerce sites popping up around the world, the amount of transaction servers will need to grow to support them all. Many of the newer e-comms providers have made life easier for us developers by developing a web based environment to execute their transactions. Let me explain. What do they do ? While some providers make you install application on your servers to talk to their servers a lot now avoid that situation by doing t...

PHP has achieved a stable and solid presence on the Web in the last several years, and its popularity as a server-side scripting language is only increasing. Its primary use is for providing dynamically generated interfaces between Web users and the host. As such, PHP scripts fall a natural prey to many Internet attacks. Despite the fact that the language is designed with security in mind, a familiarity with its more dangerous aspects and conform...

Review Part 1. Secure Programming Guidelines The way to secure PHP scripts is through a carefully selected combination of configuration settings and safe programming practices. Based on the vulnerabilities that we have studied so far, we will now set forth to establish some rules that can help avoid dangerous situations. Using PHP Safe Mode PHP can be set up so that it executes scripts in a restricted environment to decrease the amount of damage ...

This tutorial is aimed to introduce the reader to PHP filters from OWASP. OWASP (Open Web Application Security Project ) released a top ten list for web application security vulnerabilities in 2003 and 2004; you can find the latest information about their Top Ten Project here. Most of the top ten vulnerabilities including (A1) Unvalidated Input, (A2) Broken Access Control, (A4) Cross Site Scripting (XSS) Flaws, and (A6) Injection Flaws, can be av...

In my last two columns (Common Style Mistakes, part one and Common Style Mistakes, part two), I discussed some common bad practices to avoid when writing PHP scripts which can make them more difficult to read and more prone to bugs. In today s column I ll change gears and discuss the meat of this series: the importance of security when working with PHP. // ); //]] p style=margin: 0px; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; m...

Welcome back to PHP Foundations. In my previous article, I continued my mini-series on best practices in PHP by introducing you to some of the ways that security can be compromised in your PHP scripts. This article continues that discussion with more examples of potential security holes and the tools and methods you can use to help plug them. Today I ll start by talking about one of the more critical potential security holes in PHP development ...

Welcome to another installment of PHP Foundations. Last time, I discussed the potential security breaches that can occur when using system calls from PHP scripts (and some methods of protecting yourself from them). As the last part of my series focusing on the pitfalls and techniques involved when writing secure PHP applications, this article will not introduce any new potential security breaches. Rather, today I will finish my discussion of secu...

The purpose of this document is to inform PHP programmers of common security mistakes that can be overlooked in PHP scripts. While many of the following concepts may appear to be common sense, they are unfortunately not always common practice. After applying the following practices to your coding, you will be able to eliminate the vast majority of security holes that plague many scripts. Many of these security holes have been found in widely-used...

2db76afcc5c0176b2770fc2360cc1cd4! What?!? I said, 648a19754f7803769c66f871b9cd171a! // ); //]] Of course, I don t expect you to be able to understand the above two phrases. In fact, I m counting on it, because I ve encrypted the data to hide the true meaning of the messages. This notion of data encryption plays an increasingly important part of our lives, particularly considering the mammoth amount of transactions and activities that take pl...

PHPBuilder.com, the best resource for PHP tutorials, templates, PHP manuals, content management systems, scripts, classes and more. !-- body { background: url(/images/grad_bg.gif) repeat-y;font-family: Tahoma;font-size: 12px; } ol, ul, li { font-family: verdana, arial, helvetica, sans-serif; font-size: x-small; } h1 { font-size: 115%; font-family: verdana, arial, helvetica, sans-serif; text-indent: 1em; text-align: justify; } h2 { font-size: ...

Chapter 12 is reprinted with permission by Apress PHP is an extremely powerful yet easy-to-learn scripting language, affording even relatively inexperienced programmers the opportunity to create complex, dynamic websites. It is, however, notoriously difficult to ensure privacy and security of internet services. In this book, we will provide you with the security background every web developer needs, along with PHP-specific knowledge and code that...

Chapter 12 is reprinted with permission by Apress Kinds of Injection Attacks There may not be quite as many different kinds of attacks as there are motives for attacks, but once again, there is more variety than might appear at first glance. This is especially true if the malicious user has found a way to carry out multiple query execution, a subject to which we will return in a moment. If your script is executing a SELECT instruction, the attack...

Chapter 12 is reprinted with permission by Apress Abstract to Improve Security We do not suggest that you try to apply the techniques listed earlier manually to each instance of user input. Instead, you should create an abstraction layer. A simple abstraction would incorporate your validation solutions into a function, and would call that function for each item of user input. A more complex one could step back even further, and embody the entire ...

While working on this article, I received a Security bulletin highlighting a critical flaw in phpBB. This is a fairly mature open source forum written in PHP, and one that s had its fair share of critical flaws. The fact that there are still more being found, and more likely to be found, shows you how difficult it is to write completely secure software, even for an experienced team of developers. Ensure your software is up to date It seems obvio...

Learn how to create a sign-up form for a website with a security image. The image prevents fake sign-ups and spam. In this tutorial, we will learn how to create a security image template, then put it to use.

This article is intended to provide another look at Nathan Rohler s article that was recently published (the link is provided at the end of this article). His article illustrated how to use a database and PHP s image functions based on the GD library to create random security images. This article will demonstrate how to achieve the same goal (albeit with slightly different results) by using ImageMagick. I chose not to use hidden form fields and a...

Let s face it, web pages aren t designed for interaction with users. At one time or another, you ve probably found yourself needing to know what user you are dealing with, and some information about that user. But how do you do it on the web? There are many ways, but most of them are either error prone, or serious security risks. Passing around form data from page to page can easily be sniffed, and even more easily forged. What is a webmaster to...

Web applications have become a popular way to provide global access to data, services, and products. While this global access is one of the Web s underlying advantages, any security holes in these applications are also globally exposed and frequently exploited. It is extremely easy to write applications that contain unintentional security holes. This is demonstrated by the range of common web applications, including PHPMyAdmin, PHPShop and FreeTr...

In the previous article, we explored five security checks for PHP code; in this article we explore five more. // ); //]] Use the .php extension for all script files Many PHP programmers use .inc or .class extensions for library and configuration files that are accessed by the include function. If a malicious user fet

Our objective is to install a web server that will allow us to host sites, that would be secure for e-commerce solutions, and that could be driven via scripts to connect to a database server and extract its data.

A long, long time ago, during my early days with Web application development, I was asked to write an administration module for a Web site. This module was to be available only to site administrators, and so required user authentication, or login, at the entry point itself. I didn t know much about Web development at the time, but I did my best and handed the code over to the QA people for testing.

Over the past couple of years, Web application development has matured to a point where building a Web application is not quite as random a process as it once was. Most developers are now familiar with what goes into building the fundamental skeleton of a Web application: a database to store content, page templates to simplify maintenance, sessions and cookies for temporary data storage, and an authentication and privilege system to manage users ...

In the first part of this article, I focused almost entirely on how patUser could simplify the task of adding authentication to your site. I explained the patUser database schema, ran you through the process of initializing a patUser object instance and linking it to a database and template engine, and showed you how built-in patUser methods could simplify the task of verifying user credentials and writing login and logout scripts.

In the previous segment of this article, I discussed the various library functions related to user and group management, and also showed you some examples of how they could be used in real-world Web application development.

Many topics on the discussion forums deal with the verification of form data. Often it is checked to determine whether or not the submission is from a user or from a bot, if the email address entered is a valid address, or if all the information that is required has been entered into the form. While it s fairly easy to check to see if a form field is empty, determining if the posted information came from a real human is another task altogether...

In this article, I ll discuss some common web-application security flaws and then demonstrate how to detect them. In the process of auditing web applications for security flaws, I will also present a PHP script that will act as a web proxy server, allowing us to intercept and alter HTTP requests between the web browser and the target web server. As we will see, this PHP script will aid us tremendously in testing for security flaws. Let s start by...

In the past few columns, I have been discussing using PHP s file I/O capabilities for manipulating both files and directories. This week, we ll take a slight detour from a strictly PHP-related subject and discuss file permissions in Unix systems. If you are using PHP in a Windows environment (or other environment without a permission system), this column may not apply to you. // ); //]] How Permissions Work Bef

In my last column, we took a step away from PHP to discuss the Unix permissions system. In today s column we return to PHP to show you how to apply what you learned last time; again, this column applies only to those who work with PHP in an environment that supports Unix-like permission. // ); //]] A Note on Permissions and PHP Before I begin to discuss t