php security
Results 1 to 7 of 7

Thread: php security

  1. #1
    Junior Member
    Join Date
    May 2003

    php security

    I like using php stuff on my web page but unsure of the exploitability of it. I noticed this forum itself is php and doesnt use ssl when you regiter or log in. Is it usually not that big a deal. Do hackers not waste time trying to break into php news,guestbooks and polls .etc..etc.. y only concern is not that they can get into them and mess the news up or ruin the poll results but whether they can get total control of website in some way and/or deleting databases(mysql).

    I'd also like to use one of those site builders like http://typo3.orgthat use php so others can edit the page through a browser but worried about security issues. I thought about having it run through a SSL but heard thats a hugh resource hog.

    Any ideas or comments would be appreciated

  2. #2
    Senior Member
    Join Date
    Feb 2003
    Ive been reading and learning about this issue of php security. I may only comment on what I have learned.

    There are versions of php being released with security fixes so it seems security is a problem. Global variables are now set to off by default, ive notices.

    The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.

    Knowen as Cross-Site-Scripting. php code can be injected into guestbooks, forms, addressbar

    If you use sessions for user logins and sessions do not expire a valid session id could be sniffed or gathered from links by potential hackers and used to gain unauthorised access or acountt hijack.

    Vairable poisoning and Crose site scripting atacks seem to be the most common.

    Vairable poisoning where if the actacker becomes aware that a varaible perhaps called login can log you in, might try puting this in the address bar, so useing sessions aparently solves this problem.

    Or debug=1 in the address bar may alow them controll if you leave debuging information in, you should check that the variable is not comeing from a get request and you should turn off global variables.

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Don't worry about using SSL. If there are attacks possible on your PHP application, SSL will not help in the slightest.

    If anyone can use any of the attacks described by journy101, they will be able to whether SSL is enabled or not.

    The only thing SSL protects you from is sniffing (and possibly spoofing too, but that's much harder) - so don't bother enabling it unless you have to.

  4. #4
    Senior Member
    Join Date
    Mar 2002
    The main reason why php guestbooks/polls/scripts get "hacked" is because of the bad coding. Not because of the scripting language itself. Allways make sure that you format user input, for instance with the following function:
    PHP Code:
    function form_format($string)
    $string mysql_escape_string(htmlspecialchars(trim(stripslashes($string)), ENT_QUOTES));

    Sessions shouldnt be a very big problem. If you're planning on creating something for yourself, I'd suggest you take a look at phpBB's session handling functions. They certainly helped me understand things about sessions little better....

    Hope this helped.

  5. #5
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Table of Contents
    General considerations
    Installed as CGI binary
    Installed as an Apache module
    Filesystem Security
    Database Security
    Error Reporting
    Using Register Globals
    User Submitted Data
    Hiding PHP
    Keeping Current

    PHP is a powerful language and the interpreter, whether included in a web server as a module or executed as a separate CGI binary, is able to access files, execute commands and open network connections on the server. These properties make anything run on a web server insecure by default. PHP is designed specifically to be a more secure language for writing CGI programs than Perl or C, and with correct selection of compile-time and runtime configuration options, and proper coding practices, it can give you exactly the combination of freedom and security you need...
    yeah, I\'m gonna need that by friday...

  6. #6
    Junior Member
    Join Date
    May 2003

    Thumbs up

    Great info all. Thanks for the input.

  7. #7
    dude.. go grab Programming PHP by Rasmus Lerdorf and Kevin Tatroe, the last chapter goes over php security thoroughly, and its a somewhat cheap book ...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts