php security

[At)|(ri]

I like using php stuff on my web page but unsure of the exploitability of it. I noticed this forum itself is php and doesnt use ssl when you regiter or log in. Is it usually not that big a deal. Do hackers not waste time trying to break into php news,guestbooks and polls .etc..etc.. y only concern is not that they can get into them and mess the news up or ruin the poll results but whether they can get total control of website in some way and/or deleting databases(mysql).

I'd also like to use one of those site builders like http://typo3.orgthat use php so others can edit the page through a browser but worried about security issues. I thought about having it run through a SSL but heard thats a hugh resource hog.

Any ideas or comments would be appreciated

[journy101]

Ive been reading and learning about this issue of php security. I may only comment on what I have learned.

There are versions of php being released with security fixes so it seems security is a problem. Global variables are now set to off by default, ive notices.

The PHP Group has learned of a serious security vulnerability in PHP versions 4.2.0 and 4.2.1. An intruder may be able to execute arbitrary code with the privileges of the web server. This vulnerability may be exploited to compromise the web server and, under certain conditions, to gain privileged access.

http://www.webkreator.com/php/concep...-security.html
http://www.php.net/release_4_2_2.php

Knowen as Cross-Site-Scripting. php code can be injected into guestbooks, forms, addressbar

If you use sessions for user logins and sessions do not expire a valid session id could be sniffed or gathered from links by potential hackers and used to gain unauthorised access or acountt hijack.

Vairable poisoning and Crose site scripting atacks seem to be the most common.

Vairable poisoning where if the actacker becomes aware that a varaible perhaps called login can log you in, might try puting this in the address bar, so useing sessions aparently solves this problem.

Or debug=1 in the address bar may alow them controll if you leave debuging information in, you should check that the variable is not comeing from a get request and you should turn off global variables.

[slarty]

Don't worry about using SSL. If there are attacks possible on your PHP application, SSL will not help in the slightest.

If anyone can use any of the attacks described by journy101, they will be able to whether SSL is enabled or not.

The only thing SSL protects you from is sniffing (and possibly spoofing too, but that's much harder) - so don't bother enabling it unless you have to.

[Sick Dwarf]

The main reason why php guestbooks/polls/scripts get "hacked" is because of the bad coding. Not because of the scripting language itself. Allways make sure that you format user input, for instance with the following function:

PHP Code:

function form_format($string)
{
    $string = mysql_escape_string(htmlspecialchars(trim(stripslashes($string)), ENT_QUOTES));
    return $string;
} 


Sessions shouldnt be a very big problem. If you're planning on creating something for yourself, I'd suggest you take a look at phpBB's session handling functions. They certainly helped me understand things about sessions little better....

Hope this helped.

[tampabay420]

http://www.php.net/manual/en/security.php

Table of Contents
General considerations
Installed as CGI binary
Installed as an Apache module
Filesystem Security
Database Security
Error Reporting
Using Register Globals
User Submitted Data
Hiding PHP
Keeping Current

PHP is a powerful language and the interpreter, whether included in a web server as a module or executed as a separate CGI binary, is able to access files, execute commands and open network connections on the server. These properties make anything run on a web server insecure by default. PHP is designed specifically to be a more secure language for writing CGI programs than Perl or C, and with correct selection of compile-time and runtime configuration options, and proper coding practices, it can give you exactly the combination of freedom and security you need...

[At)|(ri]

Great info all. Thanks for the input.

[er0k]

dude.. go grab Programming PHP by Rasmus Lerdorf and Kevin Tatroe, the last chapter goes over php security thoroughly, and its a somewhat cheap book ...