Ensure PHP Security. four security rules that cannot be violated

Rule 1: do not trust external data or enter the security of Web application. The first thing you must be familiar with is that you should not trust external data. External data (outsidedata) contains no data directly imported by programmers in PHP code.

Rule 1: Do not trust external data or import

The first thing you must be familiar with about Web application security is that you should not trust external data. External data contains any data that is not directly input by programmers in PHP code. Any data from any other origin (such as GET variables, form POST, database, configuration file, session variables, or cookies) is untrusted until measures are taken to ensure security.

For example, the following data elements can be considered safe because they are set in PHP.

Listing 1. safe and flawless code

$ MyUsername = \ 'tmyer \';
$ ArrayUsers = array (\ 'tmyer \ ', \ 'Tom \', \ 'Tommy \');
Define (\ "GREETING \", \ 'Hello there \ '. $ myUsername );
?>

However, the following data elements are flawed.

List 2. insecure and defective code

$ MyUsername = $ _ POST [\ 'username \ ']; // tainted!
$ ArrayUsers = array ($ myUsername, \ 'Tom \ ', \ 'Tommy \'); // tainted!
Define (\ "GREETING \", \ 'Hello there \ '. $ myUsername); // tainted!
?>

Why is the first variable $ myUsername defective? Because it is directly from form POST. You can enter any strings in the input domain, including malicious commands used to clear files or run previously uploaded files. You might ask, "isn't it possible to apply a client that only receives a letter A-Z (Javascr into pt) form validation script to avoid this risk ?" Yes, this is always a helpful step, but as you will see later, anyone can download any form to their machine and correct it, then resubmit any content they need.

The solution is simple: you must run the clearing code on $ _ POST [\ 'username. If this is not done, then $ myUsername may be contaminated at any other time (such as in an array or constant.

A simple method for clearing user input is to apply a regular expression to process it. In this example, only hope to see the received letters. It may be a good idea to limit the character string to a specific number of characters, or request that all letters are in lowercase.

Listing 3. security for user input

$ MyUsername = cleanInput ($ _ POST [\ 'username \ ']); // clean!
$ ArrayUsers = array ($ myUsername, \ 'Tom \ ', \ 'Tommy \'); // clean!
Define (\ "GREETING \", \ 'Hello there \ '. $ myUsername); // clean!
Function cleanInput ($ input ){
$ Clean = strtolower ($ input );
$ Clean = preg_replace (\ "/[^ a-z]/\", \ "\", $ clean );
$ Clean = substr ($ clean, 0, 12 );
Return $ clean;
}
?>

Rule 2: disable PHP settings that make security difficult

We already know that users cannot be trusted, and we should also know that the methods for configuring PHP on machines should not be trusted. For example, make sure to disable register_globals. If register_globals is enabled, you may do some careless things, such as applying $ variable to replace GET or POST strings with the same name. By disabling this setting, PHP forces you to reference accurate variables in an accurate namespace. To apply a variable from Form POST, you should reference $ _ POST [\ 'variable \ ']. In this way, the specific variable will not be misunderstood as a cookie, session, or GET variable.