Topic Index
Security basically falls into two categories, dealt with by either network administrators or programmers. Since this is a computer science course, we will deal with vulnerabilities that programmers can address.
In earlier versions of PHP, the language itself was susceptible to buffer overflow attacks through the use of strings. However, such vulnerabilities have been fixed and most, if not all, flaws are due to poor programming. Common programming errors can be broken down into the following categories:
As discussed in class, no user input should be trusted. User input can come to the web site in the following ways:
Therefore, when using any of these, you must be sure to validate the data. This can be done with the PHP functions addslashes(), which escapes quotes, and htmlspecialchars(), which converts potentially dangerous characters such as > to their save equivalent.
addslashes() Example:
htmlspecialchars() example:
Note that htmlspecialcahrs didn't remove the single quotes. Therefore, it becomes important to also use addslashes() after you use hmtlspecialchars();
As discussed previously, validating by rejecting harmful data is, in most cases, not the best approach. Using regular expressions to only allow valid data is preferred.
In PHP, we can use ereg or preg_match to validate strings
For example, if we only want to accept strings comprised of letters and numbers, we can write:
Here is an example used to validate input on a form field
Even though a programmer may have written code to secure the software, the way in which it was written can lead to other security vulnerabilities. For example, examine the following code:
On the surface, this code looks fine: it checks to make sure that our database returned at least one row. It is much easier for a hacker to fake multiple entries than it is for him/her to fake one correct entry. Thus, it would be much better to write the IF statement as:
Cross site scripting (XSS) is a term referring to the use of scripts to perform malicious actions on a user’s computer by using known vulnerabilities in the user’s browser or host server. According to Wikipedia.org there are three types of XSS.
How to avoid XSS
Make sure that all your data is HTML encoded. Most of the time, you should check the HTML before it is displayed in a web application. This will ensure that the code will be filtered properly and no malicious code can make it through.
SQL injection is a common form of web based attacks. SQL Injection consists of using text boxes to insert malicious or deceptive code into a SQL statement. After "injecting" the code into the textbox, the server then runs the code.
SQL Injection is an easy means to blindly attack a website. The attacker needs limited knowledge of the database in order to do malicious things to it. There are many ways to protect against SQL injection: sanitizing input data, using mysql_real_escape_string(), and using parameters and stored procedures.
When command injection first became an issue when PHP was devised, a simple and sometimes frustrating solution was implemented. Magic quotes is a function used in PHP to add slashes to any quotes found in user input. Adding slashes to any quotes in the user input can help prevent against malicious user data, but the detriment to the non-experienced web developer is frustrating also.
For example if the user wanted to enter "Billy Bob's First Blog" into a text field with magic quotes turned on, he would get this error message.
You can see that the magic quotes have placed a slash before the apostrophe, thus turning this innocent line of text into a non usable string.
Another downside to magic quotes is that an attacker that knows what he/she is doing can easily get past the magic quotes function by entering a correct escape string.
PHP magic quotes has been deprecated and removed as of PHP 6.0.
Page last modified on May 29, 2008, at 09:12 AM
