Seven habits to compile a secure PHP application

Source: Internet
Author: User
Tags form post ibm db2 sql injection example ibm developerworks csrf attack
Seven habits of writing a secure PHP application

Improve the security of your WEB application

Security in PHP applications includes remote security and local security. This article will reveal the habits that PHP developers should develop when implementing WEB applications with these two security types.

?

When it comes to security issues, be aware that you need to ensure that you write secure applications in addition to the actual platform and operating system security issues. When writing a PHP application, apply the following seven habits to ensure the best security for your application:

    • Validate input
    • Protect file Systems
    • protecting databases
    • Protecting session data
    • Securing Cross-Site scripting (Cross-site SCRIPTING,XSS) vulnerabilities
    • Verify Form Post
    • Protection against cross-site request forgery (Cross-site requests FORGERIES,CSRF)

?

Validate input

Validating data is the most important habit you may adopt when referring to security issues. And when it comes to input, it's very simple: don't trust the user. Your users may be excellent, and most users may use the application exactly as expected. However, as long as the opportunity to enter is provided, there is a high likelihood of very bad input. As an application developer, you must prevent the application from accepting the wrong input. Careful consideration of the user input location and the correct value will allow you to build a robust and secure application.

?

Although the following article describes the file system interaction with the database, the following is a list of general validation tips for various validations:

    • Use a value from a whitelist
    • Always re-verify limited options
    • Using the built-in escape function
    • Verify the correct data type (such as a number)

The value in the whitelist (white-listed value) is the correct value, as opposed to the invalid blacklist value (black-listed value). The difference between the two is that when validating, the list or range of possible values is less than the list or range of invalid values, many of which may be unknown values or unexpected values.

?

When validating, it is often easier to design and validate the values that your application allows to use than to prevent all unknowns. For example, to limit field values to all numbers, you need to write a routine that ensures that the inputs are all numbers. Do not write routines that are used to search for non-numeric values and are marked as invalid when a non-numeric value is found.

?

Protect file Systems

In July 2000, a Web site disclosed customer data that was stored in a file in the Web server. A visitor to the Web site uses the URL to view the files that contain the data. Although the file was misplaced, this example highlights the importance of protecting the file system against attackers.

If the PHP application handles the file arbitrarily and contains variable data that the user can enter, double-check the user input to ensure that the user cannot perform any inappropriate actions on the file system. Listing 1 shows an example of a PHP site that downloads an image with the specified name.

?

Listing 1. Download file

 
  < ");        Echo ("Title>guard your FileSystem");    Echo ("");}

?

As you can see, the more dangerous script in Listing 1 will handle all the files that the WEB server has read permissions on, including the files in the Session directory (see "Securing Session Data"), and even some system files (for example /etc/passwd ). For demonstration purposes, this example uses a text box that allows the user to type a file name, but can easily provide a file name in the query string.

?

While configuring user input and file system access is risky, it is a good idea to design your application to use the database and hide the generated file names to avoid simultaneous configuration. However, this does not always work. Listing 2 provides a sample routine to verify the file name. It will use regular expressions to ensure that only valid characters are used in the file name, and specifically check for dot characters: .. .

?

Listing 2. Check for valid file name characters

function Isvalidfilename ($file) {    /* don ' t allow: and allow any "word" character \/* *    return Preg_match ('/^ (( ?:\.) (?! \.))| \w) +$/', $file);}

?

protecting databases

In April 2008, the Prison Bureau of a certain state of the United States used SQL column names in the query string, thus disclosing confidential data. This disclosure allows a malicious user to select columns to display, submit pages, and obtain data. The leak shows how users can execute input in a way that the application developer cannot anticipate, and shows the need to defend against SQL injection attacks.

?

Listing 3 shows a sample script that runs the SQL statement. In this case, the SQL statement is a dynamic statement that allows the same attack. The owner of this form may consider the form to be safe because they have qualified the column name as the selection list. However, the code neglects the last habit of form spoofing-the code restricting the option to a drop-down box does not mean that others are not able to publish a form that contains the required content (including asterisks [ * ]).

?

Listing 3. Execute SQL statement

SQL Injection Example
 
  ' . $select. '

'; $result = mysql_query ($select) or Die ('

' . Mysql_error (). '

'); Echo ' '; while ($row = Mysql_fetch_assoc ($result)) { echo ' '; Echo ' '; Echo ' '; } Echo '
' . $row [$col]. '
'; Mysql_close ($link);}? >

?

Therefore, to form the habit of protecting your database, avoid using dynamic SQL code whenever possible. If you cannot avoid dynamic SQL code, do not use input directly on the column. Listing 4 shows that in addition to using static columns, you can also add a simple validation routine to the account number field to ensure that the input value is not a non-numeric value.

?

Listing 4. by validating and mysql_real_escape_string() providing protection

<title>SQL Injection Example</title>
 ' . $select. '

'; $result = mysql_query ($select) or Die ('

' . Mysql_error (). '

'); Echo ' '; while ($row = Mysql_fetch_assoc ($result)) {echo ' '; Echo ' '; Echo ' '; Echo ' '; Echo ' '; } Echo '
' . $row [' Account_number ']. '' . $row [' name ']. '' . $row [' Address ']. '
'; Mysql_close ($link); } else {echo '" . "Supply a valid account number!"; }}?>

?

This example also shows the mysql_real_escape_string() use of the function. This function will correctly filter your input, so it does not include invalid characters. If you have been relying on magic_quotes_gpc it, be aware that it has been deprecated and will be removed in PHP V6. You should avoid using it from now on and write a secure PHP application in this case. In addition, if you are using an ISP, it is possible that your ISP is not enabled magic_quotes_gpc .

?

Finally, in the improved example, you can see that the SQL statement and the output do not include the dynamic column option. Using this method, you can output columns if you add them to a table that later contains different information. If you want to use a framework to work with a database, your framework might have performed SQL validation for you. Ensure that the document is consulted to ensure the security of the framework, and if you are still unsure, verify to ensure that it is secure. Even if you use the framework for database interaction, you still need to perform additional validation.

?

Protect sessions

By default, session information in PHP is written to the temp directory. Consider the form in Listing 5, which will show how to store the user ID and account number in the session.

?

Listing 5. Storing data in a session

 
  Storing session information
 
  

?

Listing 6 shows the contents of the/tmp directory.

?

Listing 6. Session files in the/tmp directory

-RW-------  1 _www    wheel       20:00 sess_9e4233f2cd7cae35866cd8b61d9fa42b

?

As you can see, in the output (see listing 7), the session file contains information in a very readable format. Because the file must be read and written by the WEB server user, the session file can cause serious problems for all users on the shared server. Someone other than you can write a script to read the files, so you can try to fetch the values from the session.

?

Listing 7. Contents of the session file

Username|s:5: "Ngood"; Accountnumber|s:9: "123456789";

?

Store password

Regardless of whether it is in a database, session, file system, or any other form, the password must never be stored as plain text. The best way to process a password is to encrypt it and compare the encrypted password to each other. Nonetheless, in practice people still store passwords in plain text. Whenever you use a Web site that can send a password instead of resetting it, it means that the password is stored in plain text or you can get the code to decrypt (if encrypted). Even the latter, you can find and use the decryption code.

?

You can take two actions to protect session data. The first is to encrypt all the content that you put into the session. However, because encrypting data does not imply absolute security, it is prudent to use this approach as the only way to protect your session. The alternative is to store session data in a different location, such as a database. You must still ensure that the database is locked, but this approach will solve two problems: first, it will put the data in a more secure location than the shared file system, and second, it will make it easier for your application to span multiple Web servers while sharing sessions can span multiple hosts.

To implement your own session persistence, see functions in PHP session_set_save_handler() . With it, you can store session information in a database, or you can implement a handler for encrypting and decrypting all data. Listing 8 provides an example of the implemented function usage and function skeleton. You can also see how to use the database in the Resources section.

?

Listing 8. session_set_save_handler()Function Example

function open ($save _path, $session _name) {/    * custom code *    /Return (TRUE);} function Close () {/    * custom code *    /Return (TRUE);} function Read ($id) {/    * custom code *    /Return (TRUE);} function Write ($id, $sess _data) {/    * custom code *    /Return (TRUE);} function Destroy ($id) {/    * custom code *    /Return (TRUE);} Function GC ($maxlifetime) {/    * custom code *    /Return (TRUE);} Session_set_save_handler ("Open", "close", "read", "write", "Destroy", "GC");

?

Protection against XSS vulnerabilities

XSS vulnerabilities represent most of the vulnerabilities of all archived Web sites in 2007 (see Resources). An XSS vulnerability occurs when a user is able to inject HTML code into your Web page. HTML code can carry JavaScript code in script markup, so that JavaScript is allowed to run as long as the page is extracted. The form in Listing 9 can represent a forum, wiki, social network, or any other site where text can be entered.

?

Listing 9. form for entering text

Your chance to input XSS

?

Listing 10 shows how a form that allows XSS attacks can output results.

?

Listing 10. showresults.php

Results demonstrating XSS
 
  You typed this:

"); Echo ("

Echo ($_post[' myText '); Echo ("

");? >

?

Listing 11 provides a basic example in which a new window pops up and opens the Google home page. If your WEB application does not protect against XSS attacks, it can cause serious damage. For example, someone can add a link that mimics the site style for spoofing (phishing) purposes (see Resources).

?

Listing 11. Sample malicious input text

?

To prevent XSS attacks, as long as the value of the variable is printed to the output, the input needs to be filtered through the htmlentities() function. Remember to follow the first habit of validating the input data with the values in the whitelist in the name of the Web application, the e-mail address, the phone number, and the input to the billing information.

?

The following shows a more secure page for displaying text input.

?

Listing 12. More Secure forms

Results demonstrating XSS
 
  You typed this:

"); Echo ("

"), Echo (Htmlentities ($_post[' MyText ')), Echo ("

");? >

?

Protection against invalid post

form Spoofing refers to someone sending a post from an inappropriate location to your form. The simplest way to cheat a form is to create a Web page that delivers all the values by submitting to the form. Because the WEB application is stateless, there is no absolutely feasible way to ensure that the published data comes from the specified location. Everything can be spoofed from an IP address to a host name. Listing 13 shows a typical form that allows you to enter information.

?

Listing 13. form for working with text

Form Spoofing Example
 
  I am Processing your text: ");    Echo ($_post[' myText ');    Echo ("

");}? >

?

Listing 14 shows the form that will be published in the form shown in Listing 13. To try this, you can put the form on your Web site and save the code in Listing 14 as an HTML document on your desktop. After you save the form, open the form in the browser. You can then fill in the data and submit the form to see how the data is processed.

?

Listing 14. Forms for collecting data

Collecting Your data

?

The potential impact of form spoofing is that if you have a form with a drop-down box, radio button, check box, or other restricted input, the restrictions do not make any sense when the form is spoofed. Consider the code in Listing 15, which contains a form with invalid data.

?

Listing 15. Forms with Invalid data

Collecting Your data

?

Think about it: if you have a drop-down box or radio button that restricts user input, you might think you don't have to worry about validating the input. After all, the input form will ensure that the user can only enter some data, right? To restrict forms spoofing, validation is required to ensure that the identity of the publisher is true. You can use a one-time use tag, although this technique still does not ensure that the form is absolutely secure, but it makes form spoofing more difficult. Because the tag is changed every time the form is called, it is necessary to get an instance of the sending form, remove the tag, and put it on a fake form if you want to be an attacker. Using this technique prevents malicious users from building persistent Web tables forms to publish inappropriate requests to the application. Listing 16 provides an example of a form tag.

?

Listing 16. Use a one-time form marker

 
  SQL Injection Test
 
  '; Echo ' Token from form= '. $_post[' token '];echo '
' If ($_session[' token '] = = $_post[' token ') {/ * cool, it's all good ... create another one */} else { echo '

Go away!

';} $token = MD5 (Uniqid (rand (), true)); $_session[' token '] = $token;?>

?

Protection against CSRF

Cross-site request forgery (CSRF attack) is the result of executing an attack with user rights. In a CSRF attack, your users can easily become unexpected accomplices. Listing 17 provides an example of a page that performs a specific action. This page will look for user login information from the cookie. As long as the cookie is valid, the Web page processes the request.

?

Listing 17. CSRF Example

?

CSRF attacks are usually made in the form of tokens, because the browser will not knowingly invoke the URL to obtain an image. However, the image source can be a page URL in the same site that is processed according to the incoming parameters. When this tag is combined with an XSS attack-the most common in an archived attack-users can easily do something about their credentials without knowing it-and thus are forged.

To protect you from CSRF attacks, you need to use the one-time tagging method used when verifying a form post. Also, use an explicit $_POST variable instead of $_REQUEST . Listing 18 shows a bad example of working with the same Web page-whether by GET requesting a page or by publishing the form to a page.

?

Listing 18. $_REQUESTget data from

Processes both posts and gets
 
  I am Processing your text: ");    Echo (htmlentities ($_request[' text "));    Echo ("

");}? >

?

Listing 19 shows a POST clean page that uses only the form.

?

Listing 19. $_POSTget data only from

Processes both posts and gets
 
  I am Processing your text: ");    Echo (htmlentities ($_post[' text "));    Echo ("

");}? >

?

Conclusion

Starting with these seven habits and trying to write a more secure PHP WEB application can help you avoid being a victim of malicious attacks. Like many other habits, these habits may be difficult to adapt to at first, but it will become more and more natural to follow these habits over time.

?

Remember that the first habit is the key: Validate input. After you ensure that the input does not include an invalid value, you can continue to protect the file system, database, and session. Finally, make sure that your PHP code is resistant to XSS attacks, form spoofing, and CSRF attacks. Forming these habits can help you resist some simple attacks.

?

Resources

Learn

  • You can refer to the original English text on the DeveloperWorks global site in this article.
  • Read the DeveloperWorks tutorial "Securing PHP Applications" to learn about the four security rules that developers cannot violate.
  • Read "PHP encryption for ordinary people" to learn how to protect data in a PHP application.
  • For good information on PHP security, please refer to PHP security Consortium.
  • Visit the PHP security site at the official PHP Web site to view security tips.
  • session_set_save_handlerLearn more about implementing custom session handlers in the articles in the PHP official site.
  • Read Wikipedia's excellent XSS entries.
  • Read Chris Shiflett's Essential PHP Securityin php.org.
  • Php.net is an important resource for PHP developers.
  • Check out the recommended PHP reading list.
  • Browse all PHP content on the DeveloperWorks.
  • View the PHP project resource extension PHP tips for IBM developerWorks.
  • Listen to interesting interviews and discussions with software developers and be sure to visit the DeveloperWorks podcast.
  • Do you want to use the database in conjunction with PHP? View Zend Core for IBM, a seamless, ready-to-use, easy-to-install PHP development and production environment that supports IBM DB2 V9.
  • Stay tuned for DeveloperWorks's technical activities and webcasts.
  • Check out recent seminars, trade shows, webcasts and other events for IBM open source developers that will be held globally.
  • Visit the DeveloperWorks Open source zone for extensive how-to information, tools, and project updates to help you develop with open source technology and use it with IBM products.
  • View the free DeveloperWorks on Demand demo watch and learn about IBM and open source technology and product features.

Access to products and technologies

    • Use IBM trial software to improve your next development project, which can be downloaded or obtained from a DVD.
    • Download the IBM product evaluation version and start using DB2, Lotus, Rational, Tivoli? and WebSphere? Application development tools and middleware products.

Discuss

    • Participate in the DeveloperWorks blog and join the DeveloperWorks community.
    • Join DeveloperWorks PHP forum:developing PHP applications with IBM information Management products (DB2, IDS).

Source: http://www.ibm.com/developerworks/cn/opensource/os-php-secure-apps/

?

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.