Why Security nedded in php?
*******************************************
PHP is a very easy language to learn, and many people without any sort of background in programming learn it as a way to add interactivity to their web sites.
Unfortunately, that often means PHP programmers, especially those newer to web development, are unaware of the potential security risks their web applications can contain.
Here are a few of the more common security problems and how to avoid them.
Common PHP problem
*****************************
If ( authenticate($user,$password) ) {
$authorized = 1;
}
if ($authorized == 1) {
echo “Logged In”;
}
————————————————–
GET auth.php?authorized=1
To solve this PHP problem
************************************
1) Ensure that you use variables that you have explicitly set.
2) Off register_globals
Error reporting
*************************
An error report can disclose directory structure of the server and even the database login information
——————————————————————————————
Set “error_reporting” to “0″ using .htaccess or php.ini
SQL Injection
*******************
PHP’s greatest strength is the ease with which it can communicate with databases, most notably MySQL.
$check = mysql_query(“SELECT Username, Password FROM Users WHERE Username = ‘”.$_POST['username'].”‘ and Password = ‘”.$_POST['password'].”‘”);
User name : ‘OR 1=1#
SELECT Username, Password FROM Users WHERE Username = ” OR 1=1 #’ and Password = ”
To prevent SQL injection
********************************
function make_safe($value) {
if (get_magic_quotes_gpc()) {
$value = stripslashes($value);
}
$value = mysql_real_escape_string($value);
}
$username = make_safe($_POST['username']);
$password = make_safe($_POST['password']);
$check = mysql_query(“SELECT Username, Password FROM Users WHERE Username = ‘”.$username.”‘ and Password = ‘”.$password.”‘”);
File Manipulation
*****************************
index.php?page=contactus.html
index.php?page=.htpasswd
To overcome this :
*open_basedir” in your php.ini file
*”allow_url_fopen” to “off”
Mysql defaults
******************
MySQL : username = root & blank password
SQL : username = sa & blank password
1) Create a text file and place the following command within it :
SET PASSWORD FOR ‘root’@'localhost’ = PASSWORD(‘NewPass’);
2) Restart the MySQL server with the special –init-file=~/mysql-init option
shell> mysqld_safe –init-file=~/mysql-init &
File Systems
*****************
*Directory listing on the server must be prevented
*In include directory , configuration files must be .php extension and not like .inc
Eg : connect.inc file will be rendered as text and output to the browser. Instead use the extension “connect.inc.php”, as that will ensure the file is processed by the PHP engine.
Login Systems
******************
*Captcha : Having a randomly generated series of letters and numbers as an image on the login page, for which the user must enter the same series with the username and pasword to login.
*Simple Counter : A counter to detect number of failed logins in a row, when this counter exceeds, disable logging in to the administration area until it is reactivated by someone responsible.
*Tracking IP address : Spot repeated login failure attempts from a single IP address to access the site, you may consider blocking access from that IP address.
Database Users
******************
Give user permissions to create data and edit. Restrict the user with delete permission.
To implement delete function, you could have a numeric field like “item_deleted”, and set it to 1 when an item is deleted.
BENEFITS :
1) No data will get deleted.
2) User can be restricted with add and edit permission.
Powerful Commands
*************************
PHP contains a variety of powerful commands with access to the operating system of the server, and that can interact with other programs. It is highly recommended that you disable them entirely.
Eg : eval() function allows you to treat a string as PHP code and execute it.
A directive of the php.ini file, “disable_functions” takes comma-separated list of function names, which will be completely disabled.
Commonly disabled functions include ini_set(), exec(), fopen(), popen(), passthru(), readfile(), file(), shell_exec() and system().
safe_mode – This instructs PHP to limit the use of functions and operators that can be used to cause problems.
Code Injection (Cross-Site Scripting)
***********************************************
SQL Injection – which relies on the use of delimiters in user-input text to take control of database queries.
Code Injection – which relies on mistakes in the treatment of text before it is output.
Username<script type=”text/javascript” src=”http://www.website.com/malicious.js”></script>
To Prevent Code Injection
*****************************
*Remove the less-than and greater-than tags from the username.
*Strip out HTML tags altogether.
Eg : strip_tags – Strip HTML and PHP tags from a string
*Limit the character set that can be used in usernames.
*Use regular expression in the signup process to validate the username to alphabets and numbers.
Aftermath
***********
*Assume that at some point any security measure you have in place will be compromised.
*First problem with a failure in site may actually come from the client.
*irst, find out what happened.
*Assuming this is a security problem, the next step is to reassure the client. Let them know what has happened.
*Find out how the attacker broke into your system. Check log files, if you have access to them.
Shared Hosting
*********************
*Shared hosting is much cheaper than dedicated hosting, and is where several sites are all hosted on the same server.
*Security of your site in these circumstances, almost entirely out of your hands. It is dependant on the hosting company you are with.
*Badly set up server will allow any site on that server to access files like /etc/passwd and httpd.conf, often giving them access to all other sites on the same server.
*Storing information in a database is highly recommended in these cases. Also don’t store your login information in a file, an attack could access this informations.
*Better is to ensure that your host, if shared, uses safe mode. While this is still not 100% secure (nothing is).
