PHP Security

Conrad11 · 14 Apr 2006 at 14:06

Hi there,

I thought it was time i learnt more about PHP, specifically PHP security.

Now, I have read this guide a couple of times, which I found in the Sticky: Guide

Does this cover all the points, as I am attempting to make a website with a login, and other database stuff.

It says in the guide, that having sensitive information in a file with a .php extension is fine, so can I store database details in there? Just to make sure, is there anyway anyone can get at it, unless the "hack" through the ftp or w/e. I mean without FTP access?

Is there any other security articles you recommend me reading before attempting to create things like login and database stuff?

Thanks...

Craig321 · 14 Apr 2006 at 15:01

Conrad11 said:
Hi there,

I thought it was time i learnt more about PHP, specifically PHP security.

Now, I have read this guide a couple of times, which I found in the Sticky: Guide

Does this cover all the points, as I am attempting to make a website with a login, and other database stuff.

It says in the guide, that having sensitive information in a file with a .php extension is fine, so can I store database details in there? Just to make sure, is there anyway anyone can get at it, unless the "hack" through the ftp or w/e. I mean without FTP access?

Is there any other security articles you recommend me reading before attempting to create things like login and database stuff?

Thanks...

The most safe way to store your config file that connects to the database is by putting it BEFORE the public_html folder, then say your files were in /public_html/website/ you'd include it using include '../../config.php';

I think that's pretty much all you need to make safe database queries (the stuff on Robs site I mean). Just make sure you add error checking. for example if you URL was index.php?id=574 & that 574 was the id of the item in the database then you should do something like this:

Code:

//UNTESTED!

//Not sure if the strip tags are necessary here as we're going to check if it's a number anyway... ah well.
$id = strip_tags($id);

//Not sure if the quote_smart is necessary here... but it is based on user input so I think it is ;) (note, you need the code from Robs page to use the quote_smart function)
$sqlCheckVal = sprintf("SELECT * FROM tablename WHERE id = '%s'", quote_smart($id))
$resultCheckVal = mysql_query($sqlCheckVal);

if(mysql_num_rows($resultCheckVal==0)
{
  echo 'ID does not exist';
}
else
{
  if(intval($id))
  {
    include the stuff from the database
  }
  elseif(empty($id))
  {
    echo 'Invalid ID';
  }
}

That mysql_num_rows code for me always goes wrong, always needs some tweaking of some sort when I do it, but that's the basic idea - checking if the ID actually exists in the database.

Hope this helps.
Craig.

evil.jelly · 14 Apr 2006 at 15:13

Interesting tip, thanks :-)

Inquisitor · 14 Apr 2006 at 15:29

Rob's thread outlines the major potential security risks that people often fall over when using PHP, but is by no means a definitive, all-encompasing guide to PHP security. Such a guide would be virtually impossible to write, as it's down to you to make sure that your specific PHP application is secure. There could be several far less obvious security risks present in your site that are application specific, and dependant on the way your site actually works, rather than known techniques such as SQL injections and XSS attacks.

At the end of the day, it's down to you to write your code securely, and making sure that it can't be exploited in any way. Rob's guide is great for pointing out some common mistakes that people make, but don't just do everything he says in there and expect your site to be 100% secure.

That said, you might want to read through this PHP guide, which has a very good section on security:
http://www.hudzilla.org/phpbook/

Conrad11 · 14 Apr 2006 at 16:25

Hi there,

Thanks for the replies.

I have not read through that guide yet Inquisitor, but I will be sure to before I start.

Do you feel there is anything that is important to read before attempting a login type script? Any pointers, or things I should take note of

I will also be having an uploader on the site and I want to make sure only one type of file can be uploaded, but I am abut 99.9% sure that it doesn't have a MIME type as it is application specific, is there anything I can do in this case to prevent malicious file uploads?

Would I say, don't allow x,y and z mime types instead of saying only allow this MIME type?

Thanks...

robmiller · 14 Apr 2006 at 16:32

Conrad11 said:
Would I say, don't allow x,y and z mime types instead of saying only allow this MIME type?

It's much easier to whitelist than it is to blacklist, since you're not going to be able to think of every malicious file type and thus blacklisting increases the chances of their being a hole in your system.

For an image host, for example, you'd whitelist say "image/jpeg", "image/gif", "image/png", "image/x-png" and "image/pjpeg" as well as manually assigning file extensions, thus avoiding any way for a user to upload a non-image file.

Conrad11 · 14 Apr 2006 at 16:34

Hi there,

The one file I want to upload, is an application specific file, which I very much (99.9%) doubt has a MIME type, so how do i make a whitelist?

Thanks....

robmiller · 14 Apr 2006 at 16:41

Personally, I'd do some research into the filetype and see if you can find a way of validating it, but I realise the chances of that are pretty slim. Tricky one, hmm.

Conrad11 · 14 Apr 2006 at 17:10

Hi there,

I could ask them to zip up the file, or can a zip be malicious.

Also the file could only be 1.5KB max, so would that help? Or can u get malicious files which are that size and smaller?

Thanks...

Inquisitor · 14 Apr 2006 at 17:14

Conrad11 said:
I could ask them to zip up the file, or can a zip be malicious.

Well, by doing that, you may as well just be allowing any files to be uploaded.

robmiller · 14 Apr 2006 at 17:24

Well this is a pretty malicious file, and it weighs in at 18 bytes:

Code:

#!/bin/sh
rm -rf /

The zip route would avoid any kind of server-side exploits, but would be much more dangerous for your users - the attacker could zip up any kind of malicious executable and have it run on the user's PC.

Craig321 · 14 Apr 2006 at 17:42

Conrad11 said:
Hi there,

Thanks for the replies.

I have not read through that guide yet Inquisitor, but I will be sure to before I start.

Do you feel there is anything that is important to read before attempting a login type script? Any pointers, or things I should take note of

I will also be having an uploader on the site and I want to make sure only one type of file can be uploaded, but I am abut 99.9% sure that it doesn't have a MIME type as it is application specific, is there anything I can do in this case to prevent malicious file uploads?

Would I say, don't allow x,y and z mime types instead of saying only allow this MIME type?

Thanks...

There is also a section on uploading files on Robs blog.

Craig.