Some Security Issue (php)

Never, Ever, Trust Your Users

It can never be said enough times, you should never, ever, ever trust your users to send you the data you expect. I have heard many people respond to that with something like “Oh, nobody malicious would be interested in my site”. Leaving aside that that could not be more wrong, it is not always a malicious user who can exploit a security hole – problems can just as easily arise because of a user unintentionally doing something wrong.

So the cardinal rule of all web development, and I can’t stress it enough, is: Never, Ever, Trust Your Users. Assume every single piece of data your site collects from a user contains malicious code. Always. That includes data you think you have checked with client-side validation, for example using JavaScript. If you can manage that, you’ll be off to a good start. If PHP security is important to you, this single point is the most important to learn. Personally, I have a “PHP Security” sheet next to my desk with major points on, and this is in large bold text, right at the top.

Global Variables

In many languages you must explicitly create a variable in order to use it. In PHP, there is an option, “register_globals”, that you can set in php.ini that allows you to use global variables, ones you do not need to explicitly create.

Consider the following code:
[php]
if ($password == “my_password”) {

$authorized = 1;

}

if ($authorized == 1) {

echo “Lots of important stuff.”;

}
[/php]

To many that may look fine, and in fact this exact type of code is in use all over the web. However, if a server has “register_globals” set to on, then simply adding “?authorized=1″ to the URL will give anyone free access to exactly what you do not want everyone to see. This is one of the most common PHP security problems.

Fortunately, this has a couple of possible simple solutions. The first, and perhaps the best, is to set “register_globals” to off. The second is to ensure that you only use variables that you have explicitly set yourself. In the above example, that would mean adding “$authorized = 0;” at the beginning of the script:

[php]
$authorized = 0;

if ($password == “my_password”) {

$authorized = 1;

}

if ($authorized == 1) {

echo “Lots of important stuff.”;

}
[/php]

Source: http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/

Comments are appriciated.

Leave a Reply

Your email address will not be published. Required fields are marked *