Why Security nedded in php?
*******************************************
PHP is a very easy language to learn, and many people without any sort of background in programming learn it as a way to add interactivity to their web sites.
Unfortunately, that often means PHP programmers, especially those newer to web development, are unaware of the potential security risks their web applications can contain.
Here are a few of the more common security problems and how to avoid them.
Common PHP problem
*****************************
If ( authenticate($user,$password) ) {
$authorized = 1;
}
if ($authorized == 1) {
echo “Logged In”;
}
————————————————–
GET auth.php?authorized=1
To solve this PHP problem
************************************
1) Ensure that you use variables that you have explicitly set.
2) Off register_globals
Error reporting
*************************
An error report can disclose directory structure of the server and even the database login information
——————————————————————————————
Set “error_reporting” to “0″ using .htaccess or php.ini
SQL Injection
*******************
PHP’s greatest strength is the ease with which it can communicate with databases, most notably MySQL.
$check = mysql_query(”SELECT Username, Password FROM Users WHERE Username = ‘”.$_POST['username'].”‘ and Password = ‘”.$_POST['password'].”‘”);
User name : ‘OR 1=1#
SELECT Username, Password FROM Users WHERE Username = ” OR 1=1 #’ and Password = ”
To prevent SQL injection
********************************
function make_safe($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$value = mysql_real_escape_string($value);
}
$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query(”SELECT Username, Password FROM Users WHERE Username = ‘”.$username.”‘ and Password = ‘”.$password.”‘”);
File Manipulation
*****************************
index.php?page=contactus.html
index.php?page=.htpasswd
To overcome this :
*open_basedir” in your php.ini file
*”allow_url_fopen” to “off”
Mysql defaults
******************
MySQL : username = root & blank password
SQL : username = sa & blank password
1) Create a text file and place the following command within it :
SET PASSWORD FOR ‘root’@'localhost’ = PASSWORD(’NewPass’);
2) Restart the MySQL server with the special –init-file=~/mysql-init option
shell> mysqld_safe –init-file=~/mysql-init &
File Systems
*****************
*Directory listing on the server must be prevented
*In include directory , configuration files must be .php extension and not like .inc
Eg : connect.inc file will be rendered as text and output to the browser. Instead use the extension “connect.inc.php”, as that will ensure the file is processed by the PHP engine.
Login Systems
******************
*Captcha : Having a randomly generated series of letters and numbers as an image on the login page, for which the user must enter the same series with the username and pasword to login.
*Simple Counter : A counter to detect number of failed logins in a row, when this counter exceeds, disable logging in to the administration area until it is reactivated by someone responsible.
*Tracking IP address : Spot repeated login failure attempts from a single IP address to access the site, you may consider blocking access from that IP address.
Database Users
******************
Give user permissions to create data and edit. Restrict the user with delete permission.
To implement delete function, you could have a numeric field like “item_deleted”, and set it to 1 when an item is deleted.
BENEFITS :
1) No data will get deleted.
2) User can be restricted with add and edit permission.
Powerful Commands
*************************
PHP contains a variety of powerful commands with access to the operating system of the server, and that can interact with other programs. It is highly recommended that you disable them entirely.
Eg : eval() function allows you to treat a string as PHP code and execute it.
A directive of the php.ini file, “disable_functions” takes comma-separated list of function names, which will be completely disabled.
Commonly disabled functions include ini_set(), exec(), fopen(), popen(), passthru(), readfile(), file(), shell_exec() and system().
safe_mode – This instructs PHP to limit the use of functions and operators that can be used to cause problems.
Code Injection (Cross-Site Scripting)
***********************************************
SQL Injection – which relies on the use of delimiters in user-input text to take control of database queries.
Code Injection – which relies on mistakes in the treatment of text before it is output.
Username<script type=”text/javascript” src=”http://www.website.com/malicious.js”></script>
To Prevent Code Injection
*****************************
*Remove the less-than and greater-than tags from the username.
*Strip out HTML tags altogether.
Eg : strip_tags – Strip HTML and PHP tags from a string
*Limit the character set that can be used in usernames.
*Use regular expression in the signup process to validate the username to alphabets and numbers.
Aftermath
***********
*Assume that at some point any security measure you have in place will be compromised.
*First problem with a failure in site may actually come from the client.
*irst, find out what happened.
*Assuming this is a security problem, the next step is to reassure the client. Let them know what has happened.
*Find out how the attacker broke into your system. Check log files, if you have access to them.
Shared Hosting
*********************
*Shared hosting is much cheaper than dedicated hosting, and is where several sites are all hosted on the same server.
*Security of your site in these circumstances, almost entirely out of your hands. It is dependant on the hosting company you are with.
*Badly set up server will allow any site on that server to access files like /etc/passwd and httpd.conf, often giving them access to all other sites on the same server.
*Storing information in a database is highly recommended in these cases. Also don’t store your login information in a file, an attack could access this informations.
*Better is to ensure that your host, if shared, uses safe mode. While this is still not 100% secure (nothing is).
Cascading style sheets are a new way of formatting your page layout, text, fonts, images, and almost anything you put on the page.They allow you to position things on your page down to the exact pixel. Also, if a style is declared in the head section of a page, a change to the style changes the style on the entire page.
What is CSS?
* CSS stands for Cascading Style Sheets
* Styles define how to display HTML elements
* Styles are normally stored in Style Sheets
* Styles were added to HTML 4.0 to solve a problem
* External Style Sheets can save you a lot of work
* External Style Sheets are stored in CSS files
* Multiple style definitions will cascade into one
Suppose that you created a style for a heading tag, <H1>. In your style, you set the color of your H1 tags to red. Now if you have 10 H1 tags on the page, and decide you would rather have your headings be blue, you would no longer need to go back and change the font color for each heading. All you have to do is change the style of your H1 tags from the color red to blue. Changing the style once will adjust all of your H3 tags and they will now be all blue instead of red, with alot less work.
Syntax
The CSS takes the following syntax
selector {property: value}
eg:-body {color: blue}
This can be applied to a group also
h1,h2
{
color: #000000;
}
Adding Styles to Elements with Particular Attributes
input[type="text"] {background-color: red}
The id Selector
You can also define styles for HTML elements with the id selector. The id selector is defined as a #.
The style rule below will match the element that has an id attribute with a value of “black”:
#black{color: black}
The style rule below will match the p element that has an id with a value of “para1″:
p#para1
{
text-align: center;
color: red
}
Comments in CSS
/* This is a comment */
p
{
text-align: center;
}
Inline Styles:
Inline styles are added directly to the element to be styled with the style attribute:
<p style=”color: red;”>
Inline styles are CSS styles that are applied to one element using the style attribute.
1. We write the style properties all one line .then we separate multiple properties with a semi-colon
eg:- background:#112344; color:#223555; border: solid black 1px;
2. Now you place that line of styles inside the style attribute of the element you want styled.
<p style =” background:#112344; color:#223555; border: solid black 1px;”>
Advantages and disadvantages of Inline Styles
Advantage
1) Inline styles have the highest precedence because of the cascade.
Disadvantages
1)They can over-ride things you didn’t intend them to do as they are most specific in cascade.
2)It’s impossible to style pseudo-elements and -classes with inline styles. For example, with external and internal style sheets, you can style the visited, hover, active, and link color of an anchor tag. But with an inline style all you can style is the link itself, because that’s what the style is on.
External style sheets
External style sheets (CSS) allow you to use one style sheet on multiple Web pages – so when you change the look for your site, you change the CSS in one.
Advantages and Disadvantages of External Style Sheets
Advantages
1)Since External style sheets are written in a single page it is easy to change the style and look of websites without much trouble.You need to make changes only in a single page and to a single portion.
2)To use the styles effectively we can group them easily.
Disadvantages
* External style sheets can increase the download time, if they are extremely large.
* If you only have a small number of styles, they can increase the complexity of your site.
* Like with table rendering, you have to wait until the entire style sheet is loaded before the page can display.
* External style sheets get big very quickly as it’s hard to tell when a style is no longer in use, because it’s not deleted when the page is removed.
LINKING TO PAGE
Each page which uses CSS must link to the style sheet using the <link> tag. The <link> tag goes inside the head section:
Your style sheet should be saved with a .css extension
Suppose that style.css is the name of the page where you put your styles.
<head>
<link rel=”stylesheet” type=”text/css”
href=”style.css” />
</head>
The browser will read the style definitions from the file style.css and format the document according to it.
body { background : #FFFFFF;}
p {margin-left: 20px}
Internal style sheets
An internal style sheet should be used when a single document has a unique style. You define internal styles in the head section by using the <style> tag, like this:
<head>
<style type=”text/css”>
p {margin-left: 20px}
body {background : #FFFFFF;}
</style>
</head>
Multiple Style Sheets
A group of properties can be applied to a tag
eg:-body {
background : #FFFFFF;
border: #000000 ;
border-style: solid;
border-width: 0px;
padding: 10px ;
vertical-align: middle ;
text-align: center;
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px;
font-weight: 400 ;
color: #000000;
font-size:6;
}
Inside the tables for a all columns or rows you can specify the styles
td {
empty-cells : show;
font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 13px;
font-weight: 400 ;
color: #000000;
text-align: center;
}
Leave a Comment
Posted in Cascading Style Sheets(CSS) | Tags: Adding Styles to Elements with Particular Attributes, cascading style sheets, Comments in CSS, CSS, External Style Sheets, Inline Styles, Internal style sheets, Syntax of CSS, The id Selector