subject:"\[PHP\] Security\: PHP\: how to \"harden\" PHP scripts\?"

[PHP] Security: PHP: how to harden PHP scripts?

2002-07-03 Thread Jean-Christian Imbeault


I'm writing my first commercial site and of course I am thinking about 
security. I'm worried about someone using a flaw in my PHP script logic 
to access information they shouldn't.

I've read the PHP books I have and Googled around but can't quite find 
specific answers to my questions about PHP and security.

In general how does one go about hardening a PHP script. i.e. making it 
as hacker-proof as possible. General things like:

- verifying user inputted data
- not putting clear-text passwords in php scripts
- use safe-mode?

And specifically, what are some things one can do? Things like:

- use addslashes with user data
- use mysql_escape_string for data submitted to mysql


Thanks,

Jc


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Security: PHP: how to harden PHP scripts?

2002-07-03 Thread Justin French


on 03/07/02 11:36 PM, Jean-Christian Imbeault ([EMAIL PROTECTED])
wrote:

 In general how does one go about hardening a PHP script. i.e. making it
 as hacker-proof as possible. General things like:

I think the general answer is you can't, but you can make it more secure.


 - verifying user inputted data

verify user inputted data means nothing... you should take a specific
example, like make sure a text box is less than 500 words, contains only
B BR I  U tags, and starts with a capital letter, and then let us
help you solve it.

Obviously verifying a date is different to a password, verifying that a
certain select box was selected is different from making sure that their
phone number contains only numbers, etc etc.

The string functions will do most of this for you with very little effort.

empty(), isset(), strlen(), is_int(), is_str(), strip_tags(), ereg() 
eregi() and many others will all help, but you need to approach them one at
a time.

You should also be concerned about character sets.

If you wanna get anal about it, you should be using register_globals OFF in
your php.ini file, and should be treating any $_GET var as unsafe, and same
with all other such variables (cookies, sessions, post, etc)

 - not putting clear-text passwords in php scripts

A thread started in here about two weeks back with the subject Keeping
Secrets in PHP Files... you should read that end-to-end... HEAPS of
infomation.

 - use safe-mode?

I have no idea about safe mode.


This list really does work best (ie best results for you) if you come to us
with a specific problem, rather than something general.



Justin French


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Security: PHP: how to harden PHP scripts?

2002-07-03 Thread Chris Shiflett


Jean-Christian Imbeault wrote:

 I'm writing my first commercial site and of course I am thinking about 
 security. I'm worried about someone using a flaw in my PHP script 
 logic to access information they shouldn't.

 I've read the PHP books I have and Googled around but can't quite find 
 specific answers to my questions about PHP and security.

 In general how does one go about hardening a PHP script. i.e. making 
 it as hacker-proof as possible


I'm sure you'll get a lot of responses to this including various 
opinions, so this will be short and a bit vague.

The most important thing you can do as a developer is:

1. Never, ever trust data from the client

That is the main thing you should focus on. There are many different 
methods of cleaning or filtering data from the client, and all of 
these have these key characteristics:

1. They make sure the data contains acceptable characters (rather than 
attempting to make sure it does *not* contain unacceptable characters - 
very important distinction).
2. They employ a strict naming convention that clearly identifies which 
data has/has not been filtered. For example, assign $clean_blah=$blah 
when you have found $blah to be acceptable. In order for this to be 
useful, you should never accept any data from the client that has a name 
beginning with clean_, and you should only use the clean variables in 
queries or logical statements that affect access or any other critical 
function.

Along these lines, you should never make any assumptions in your 
scripts. For example, if you have a variable that can only have three 
possible values, don't do [if, elseif, else], rather do [if, elseif, 
elseif].

Also, make sure you intialize all variables you are depending on. In 
adhering to the golden rule mentioned above (Never, ever trust data from 
the client), you need to make sure you don't accidentally accept data 
from the client and think it is something that you set. People might try 
to include rogue variables in the URL, post their own forms to various 
URLs in your application, etc.

Basically, if you code very carefully and deliberately, you will create 
a very secure application. Many people focus only on securing the 
environment, but writing secure code is often much more important.

Hope that helps give you some ideas.

Chris


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Security: PHP: how to harden PHP scripts?

2002-07-03 Thread Alberto Serra


Chris Shiflett wrote:
 Jean-Christian Imbeault wrote:
 In general how does one go about hardening a PHP script. i.e. making 
 it as hacker-proof as possible

There is no such thing as a 100% secure solution (this applies to 
everything running on a computer, PHP included). But basically you can 
make it pretty secure. Then again, quite a lot depends on what you are 
going to write. Govt/Banks need much more defense than a small/midsized 
commercial site (and are capable to pay for it). You can basically be 
happy with some care in you development, just make sure your customers 
do understand the amount of time this is going to take and are ready to 
pay for it. Then let them decide themselves, but if you see they choose 
a risky path in order to save budget money do write them a formal 
letter, in which you acknowledge the problem. Many customers do not 
think they need security until it's too late, then they get mad at you 
because they did not want to buy the extra time for secure coding. So 
make sure everyone knows what their responsibility are and make sure 
this is stated on paper.

 1. Never, ever trust data from the client

That's it. If you leave Register_globals off you will be sure you get 
only what you need to get. Then, of course, you shall control data 
content. As I am sure you know yourself most of the trouble will come 
from uncorrect data input.
You might actually write client-side javascript controls to avoid 
uncorrect input and then think that your data are clean. This is where 
most of the problems come from (as Chris points out, it's not difficult 
to post a form to your script after writing it at home, or just do a 
plain command line call with altered parameters from a user browser, I 
see that stuff on our customers logs quite often).
So, no matter what you checked on the client, check it again on the 
server (even if you are not paranoid, some users may just have disabled 
their javascript, right?)

 Basically, if you code very carefully and deliberately, you will create 
 a very secure application. Many people focus only on securing the 
 environment, but writing secure code is often much more important.

Words of wisdom! and actually about 75% of the code you write is 
dedicated to this very job, if you really want to get a stable application.

Alberto
Kiev

-- 


-_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-@-_=}{=_--_=}{=_-

LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu?
lOrD i'M sHiNiNg...
YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is
tHe TeSt, YeS iT iS
ThE tEsT, yEs It Is...


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Re: [PHP] Security: PHP: how to harden PHP scripts?

2002-07-03 Thread Jean-Christian Imbeault


Justin French wrote:

  This list really does work best (ie best results for you) if you come 
to us
  with a specific problem, rather than something general.


I totally agree. Sorry to have asked such a wide question but in this 
case it is a bit of a chicken-or-the-egg situation. To make your scripts 
secure you need to make sure they no insecure programming practices. But 
how do you find out what insecure programming practices are? You only 
find out after someone exploits it.

If I knew that someone can use a PHP session to somehow run malicious 
scripts on my server than I would do a search on Google for PHP session 
security advisory or something like that and find out how to secure my 
scripts against this. But I'd have to know in the first place that such 
a security problem exists with sessions.

I guess what I am looking for is a kind of best practices for security 
list for PHP programming. Do's and Don't, or a list of common pitfalls 
and how to avoid them.

Can anyone point me to such a list or tutorial?

Jc


-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

[PHP] Security: PHP: how to harden PHP scripts?

Re: [PHP] Security: PHP: how to harden PHP scripts?

Re: [PHP] Security: PHP: how to harden PHP scripts?

Re: [PHP] Security: PHP: how to harden PHP scripts?

Re: [PHP] Security: PHP: how to harden PHP scripts?

5 matches

Site Navigation

Mail list logo

Footer information