FRIHOSTFORUMSSEARCHFAQTOSBLOGSCOMPETITIONS
You are invited to Log in or Register a free Frihost Account!


Reducing Exploits





luiz_a2web
Reducing Exploits
When dealing with PHP, especially dynamics, it's important to always consider security. Here are some simple tips that will help you deal with the most common of those problems and exploits.

1. Disable register_globals. Disabling register_globals and using $_GET to obtain URL variables is much more secure. It prevents the visitors from changing other important variables in your code. To do this do the following:

//In your .htaccess file add:
Code:
php_flag register_globals 0
    //In your PHP files, make sure you're using:
<?php
$_GET[var];
?>


2. Limit the amount of text used for user input. A big problem on my sites is that they allow far too much to be controlled with text-string variables. If these strings are validated thoroughly, it can result in a number of big exploits occur. Whenever possible, use numbers and convert them into an integer before actually using them.

Bad:
Code:
<?php
//$text should be "something";
//$text could be "<iframe src=\"evilscript...\"></iframe>
echo $text;
?>
    Good:
<?php
//$text has to be an integer
//$text is now much more secure
$text = (int) $text
echo $text;
?>


3. Careful with dynamic includes. I've seen numerous sites exploited because of their handling of includes. Many will just include it regardless of where it is or without any validation. That's not the way to do it as it results in numerous errors or possibly major exploits. Here's the safest way to deal with dynamic includes.

Code:
<?php
$input = $_GET[var];
switch ($input) {
    case "home":
include("folder/home.php");
break;
    case "about":
include("folder/about.php");
break;
    //if none of the above
default:
include("folder/default.php");
break;
    }
?>


It does require some manual input, but it prevents people from executing remote code or generating errors.

4. Validate ALL user input. Validating all user input is VERY important. If you're careless you could end up having some nasty code embedded in your page or even have it defaced. There's numerous things that people can do, including inject your SQL, which you don't want to happen. Here's a couple functions PHP has which will greatly reduce these risks.

Code:
<?php
//lets strip out there HTML tags to avoid meta-refreshes and iframe redirections
$variable = strip_tags($variable);
    //lets get rid of any special HTML characters which might play with our script.
$variable = htmlspecialchars($variable);
    //even with the above, you'll want to give yourself some added protection again mySQL injection magic_quotes are great, but aren't always available.
if (!get_magic_quotes_gpc()) {
$variable = addslashes($variable);
}
//you will want to note that you'll want to set something up so that if they're added, they're also removed later on.
    //Let's say you're letting them fill out out form and there's quite a few $_POST variables you want to validate, to get them all easily use array_map
$_POST = array_map('strip_tags',$_POST);
$_POST = array_map('htmlspecialchars',$_POST);
if (!get_magic_quotes_gpc()) {
$_POST = array_map('addslashes',$_POST);
}
?>

Don't be afraid to go great lengths to making your scripts as secure as possible. These are just a few of the things you can do to help. There's certainly more to consider, but these are important for every developer to consider.
Related topics
GIF and JPEG.
Spying on the spyware makers
Efforts to Control Housing Prices Continue(News From China)
Beware How You Google !!!
World Of Warcraft
Pharming VOiP
Okay, I'm done trying to use CSS for layout.
credits reducing - is there a warning?
Exploits in the wild for IE6 flaw growing!
Tips on reducing file size?
Joomla/Mambo exploits
ATENÇÃO! Joomla/Mambo exploits
Reducing CRT flickering?
Winter sports law reducing weight
Reply to topic    Frihost Forum Index -> Scripting -> Php and MySQL

FRIHOST HOME | FAQ | TOS | ABOUT US | CONTACT US | SITE MAP
© 2005-2011 Frihost, forums powered by phpBB.