Home arrow PHP arrow Securing Your PHP Website

Securing Your PHP Website

In this second part of a three-part series on secure PHP programming, you'll learn how to hide the fact that you're using PHP to drive your site, how to hide sensitive data, and more. This article is excerpted from chapter 21 of the book Beginning PHP and Oracle: From Novice to Professional, written by W. Jason Gilmore and Bob Bryla (Apress; ISBN: 1590597702).

TABLE OF CONTENTS:
  1. Securing Your PHP Website
  2. Hiding Sensitive Data
  3. Sanitizing User Data
  4. Sanitizing User Input: The Solution
By: Apress Publishing
Rating: starstarstarstarstar / 4
August 19, 2010

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Hiding PHP

You can also hide, or at least obscure, the fact that youíre using PHP to drive your site. Use the expose_php directive to prevent PHP version details from being appended to your Web server signature. Block access to phpinfo() to prevent attackers from learning your software version numbers and other key bits of information. Change document extensions to make it less obvious that pages map to PHP scripts.

expose_php = On | Off

Scope: PHP_INI_SYSTEM ; Default value: On

When enabled, the PHP directive expose_php appends its details to the server signature. For example, if ServerSignature is enabled and ServerTokens is set to Full , and this directive is enabled, the relevant component of the server signature would look like this:

--------------------------------------------
Apache/2.0.44 (Unix) DAV/2 PHP/5.0.0b3-dev Server at www.example.com Port 80
--------------------------------------------

When expose_php is disabled, the server signature will look like this:

--------------------------------------------
Apache/2.0.44 (Unix) DAV/2 Server at www.example.com Port 80
--------------------------------------------

Remove All Instances of phpinfo() Calls

The phpinfo() function offers a great tool for viewing a summary of PHPís configuration on a given server. However, left unprotected on the server, the information it provides is a gold mine for attackers. For example, this function provides information pertinent to the operating system, the PHP and Web server versions, and the configuration flags, and a detailed report regarding all available extensions and their versions. Leaving this information accessible to an attacker will greatly increase the likelihood that a potential attack vector will be revealed and subsequently exploited.

Unfortunately, it appears that many developers are either unaware of or unconcerned with such disclosure because typing phpinfo.php into a search engine yields roughly 336,000 results, many of which point directly to a file executing the phpinfo() command, and therefore offering a bevy of information about the server. A quick refinement of the search criteria to include other key terms results in a subset of the initial results (old, vulnerable PHP versions) that would serve as prime candidates for attack because they use known insecure versions of PHP, Apache, IIS, and various supported extensions.

Allowing others to view the results from phpinfo() is essentially equivalent to providing the general public with a road map to many of your serverís technical characteristics and shortcomings. Donít fall victim to an attack simply because youíre too lazy to remove or protect this file.

Change the Document Extension

PHP-enabled documents are often easily recognized by their unique extensions, of which the most common include .php , .php3 , and .phtml . Did you know that this can easily be changed to any other extension you wish, even .html , .asp , or .jsp ? Just change the line in your httpd.conf file that reads

AddType application/x-httpd-php .php

by adding whatever extension you please, for example

AddType application/x-httpd-php .asp

Of course, youíll need to be sure that this does not cause a conflict with other installed server technologies.



 
 
>>> More PHP Articles          >>> More By Apress Publishing
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

PHP ARTICLES

- Hackers Compromise PHP Sites to Launch Attac...
- Red Hat, Zend Form OpenShift PaaS Alliance
- PHP IDE News
- BCD, Zend Extend PHP Partnership
- PHP FAQ Highlight
- PHP Creator Didn't Set Out to Create a Langu...
- PHP Trends Revealed in Zend Study
- PHP: Best Methods for Running Scheduled Jobs
- PHP Array Functions: array_change_key_case
- PHP array_combine Function
- PHP array_chunk Function
- PHP Closures as View Helpers: Lazy-Loading F...
- Using PHP Closures as View Helpers
- PHP File and Operating System Program Execut...
- PHP: Effects of Wrapping Code in Class Const...

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: