Delicious Bookmark this on Delicious Share on Facebook SlashdotSlashdot It! Digg! Digg



PHP : Security : General considerations

Chapter 2. General considerations

A completely secure system is a virtual impossibility, so an approach often used in the security profession is one of balancing risk and usability. If every variable submitted by a user required two forms of biometric validation (such as a retinal scan and a fingerprint), you would have an extremely high level of accountability. It would also take half an hour to fill out a fairly complex form, which would tend to encourage users to find ways of bypassing the security.

The best security is often unobtrusive enough to suit the requirements without the user being prevented from accomplishing their work, or over-burdening the code author with excessive complexity. Indeed, some security attacks are merely exploits of this kind of overly built security, which tends to erode over time.

A phrase worth remembering: A system is only as good as the weakest link in a chain. If all transactions are heavily logged based on time, location, transaction type, etc. but the user is only verified based on a single cookie, the validity of tying the users to the transaction log is severely weakened.

When testing, keep in mind that you will not be able to test all possibilities for even the simplest of pages. The input you may expect will be completely unrelated to the input given by a disgruntled employee, a cracker with months of time on their hands, or a housecat walking across the keyboard. This is why it's best to look at the code from a logical perspective, to discern where unexpected data can be introduced, and then follow how it is modified, reduced, or amplified.

The Internet is filled with people trying to make a name for themselves by breaking your code, crashing your site, posting inappropriate content, and otherwise making your day interesting. It doesn't matter if you have a small or large site, you are a target by simply being online, by having a server that can be connected to. Many cracking programs do not discern by size, they simply trawl massive IP blocks looking for victims. Try not to become one.

Code Examples / Notes » security.general

abdul basit

No doubt PHP is a strong language and it gain power during its evaluation.But there are too much security risks in PHP.Most  common are :
1-Invalidated Input Errors
2-Access Control Flaws
3-Session ID Protection
4-Cross Site Scripting (XSS) Attacks
5-SQL Injection Vulnerabilities
6-Error Reporting
7-Data Handling Errors
8-PHP configuration settings
As PHP is open-sourse server-side scripting language, it is most often uses in web applications and database-driven web site which obviously have critical data.So malicious users always try to find holes in its security, in other word this open-source is in focus of attackers.Thus it becomes the responsiblity of developer to minimize the securiy risks in  product.


andreas r dot newsgroups2005

In reply to: yairl at savion dot huji dot ac dot il (Important Security Note for emacs users)
> in apache webserver you can deny access to these files with the following configure order
>  <File "*~">
> Deny  all
> </File>
If you want to use .htaccess file, it should be:
<Files "*~">
Deny from all
</Files>
But then don't forget to set AllowOverride All (for the directory in question), e.g.
<Directory /var/www/localhost/htdocs>
   AllowOverride All
</Directory>
since with the (default?) AllowOverride None the .htaccess files are ignored, see
http://issues.apache.org/bugzilla/show_bug.cgi?id=41760


lesley_b_linux

In answer to the first poster here, you shouldn't really be developing within the tree of a live Internet facing web server at all ever.
All Linux distro's I have come across have the capability of running Apache on the localhost so at it's simplest level you should :-
0.  Get the latest web site code from your version control system.
1. Do your development using the localhost web server
2.  Check in your new site code to the version control system you are running.
3. Upload only the new or updated files to the active webserver
You can use anything from ftp to sitecopy to upload your files and most advanced site copying tools allow you to ignore *.bak  *~ or even entire directories if you need to.
If you must develop on the server, then ssh in and use vi but look out for disconnects leaving vi .*.swp files aorund.  (Why use vi? Because then you aren't exposing the web server to further insecurity by running the portmap deamon for the X-server required for emacs. )
That's speaking as someone who uses both emacs and vi.


yairl

Important Security Note for emacs users
Many linux/unix developers like the emacs editor to write code. It's a great editor with many features for PHP/Perl developers. emacs by default creates a back up file ending with ~. Then when you create a file myprogram.php it creates a back up file myprogram.php~ . You can change this default behavoir  to avoid emacs creates this file but many people prefer to keep this default. The problem is that through the webserver people can load this file ending with ~ and can see your php code because the webserver doesn't parser this file as php type due to the ~. This behavoir is a strong security hole, it permits to everybody to see and hack your code. i recommend to emacs users to deny access to files ending with ~ in general to avoid this problem.
In general PHP developers must check that the editor they are using is not creating a file beside the php source file without the end file name .php necessary for the webserver to parser it as php application.
in apache webserver you can deny access to these files with the following configure order
<File "*~">
Deny  all
</File>


ms_sux_2000

Emacs doesn't require an X server to run, you can use the command line option '-nw' to start emacs in that console.  Also portmap isn't required by an X server nor emacs (except maybe for special optional packages).

henke dot andersson

A good tactic to employ is the "least privileged needed" aproatch. If a aplication is only reading from a particular table in a particular database, it should have a account that can do exactly that and no more.

Change Language


Follow Navioo On Twitter
Introduction
General considerations
Installed as CGI binary
Installed as an Apache module
Filesystem Security
Database Security
Error Reporting
Using Register Globals
User Submitted Data
Magic Quotes
Hiding PHP
Keeping Current
eXTReMe Tracker