PHP Security
CS-422
(from The Linux Journal
Oct 2002
author: Nuno Lourereio)
Secure Web Applications
Most security issues have to do with:
hacker attacks
denial of service
server hijacking
common threats
compromise of data
Basic Rule
Never trust user input
Poorly or unvalidated user input constitutes the
most severe security problem with web
applications
can crash a server
can cause buffer overflows
can allow machine to be hijacked
allow hacker to have root access
Assume user input is bad until you prove its OK
Global Variable Scope
In versions of PHP earlier than 4.2.0 many external variables were
defaulted to global scope, variables couldn’t be trusted
<?php
if (authenticate_user()) {
$authenticated = true; }
if (!$authenticated) {
die (“Authorization required”) }
?>
If you set $authenticated to 1 via a GET:
http://example.com/admin.php?authenticated=1
the last test would pass, when it shouldn’t
Global Variable Scope (more)
Since PHP 4.1.0 register_globals has been deprecated; GET, POST, Cookie,
Server, Environment and Session variables are no longer in the global scope.
There are several new arrays to help developers writing applications:
$_GET, $_POST, $COOKIE, $_SERVER, $_ENV, $_REQUEST, $_SESSION
<?php
$_SESSION[‘authenticated’] = false;
if (authenticate_user( )) {$_SESSION[‘authenticated’] = true;}
….
If ($_SESSION[‘authenticated’]) { die (“Authorization required”);}
?>