PHP Programming: Learn PHP Programming - CRUSH IT IN ONE DAY. Learn It Fast. Learn It Once. Get Coding Today, First Edition (2015)

Chapter 8. Security

PHP is a powerful language. The interpreter can execute commands, access files and can open server network connections. So by default anything which is run by these properties on any web server is considered insecure. PHP is designed to be a secure language. PHP can provide you freedom and security with the correct selection of the compile and run-time configurations. There are different configuration options which control this behaviour as there are many ways in which PHP can be utilized. These options and the server configurations combined will result in an insecure setup.

PHP's consideration flexibility is equally rivaled by PHP's code flexibility. PHP is used to build complete server applications or it can be used for other simple tasks in the server. The security of the PHP depends on the developer.

File system security

PHP has direct access to the file systems and can even execute shell commands. When tainted data is in the command line this can be very dangerous. These risks can be minimized by proper filtering and escaping. PHP was designed in such a way that it allows user level access to a file system. With that it is possible to code a script which allows you to access system files send huge printer files, modify your Internet connections etc. In this case, care should be taken and you should ensure that the files you write to and the files that you read from are the appropriate ones.

In the following example the user wishes to delete a home directory file.

Example : Poor variable checking.

<?php

// remove a file from the user's home directory

$username = $_POST['user_submitted_name'];

$userfile = $_POST['user_submitted_filename'];

$homedir  = "/home/$username";

unlink("$homedir/$userfile");

echo "The file has been deleted!";

?>

From the user form, the file name and the username are postable. With this the user can submit the username and the file name which belong to someone else and can delete it even if they are not allowed to do so. Some other form of authentication should be used in such cases.

Here is an example of a filesystem attack.

Example:

<?php

// removes a file from anywhere on the hard drive that

// the PHP user has access to. If PHP has root access:

$username = $_POST['user_submitted_name']; // "../etc"

$userfile = $_POST['user_submitted_filename']; // "passwd"

$homedir  = "/home/$username";               // "/home/../etc"

unlink("$homedir/$userfile");                             // "/home/../etc/passwd"

echo "The file has been deleted!";

?>

To prevent these issues, you can implement two important measures. They are.

·        Allowing limited permissions to the PHP web user binary.

·        Checking all the submitted variables.

Here the following script is more secure and improved.

Code:

<?php

// removes a file from the hard drive that

// the PHP user has access to.

$username = $_SERVER['REMOTE_USER']; // using an authentication mechanism

$userfile = basename($_POST['user_submitted_filename']);

$homedir  = "/home/$username";

$filepath = "$homedir/$userfile";

if (file_exists($filepath) && unlink($filepath)) {

   $logstring = "Deleted $filepath\n";

} else {

   $logstring = "Failed to delete $filepath\n";

}

$fp = fopen("/home/logging/filedelete.log", "a");

fwrite($fp, $logstring);

fclose($fp);

echo htmlentities($logstring, ENT_QUOTES);

?>

Even this code is not without flaws. Your system will once again be exposed if the authentication system allows the users accessing to create their own logins.

Here is a more secure file name checking example.

<?php

$username     = $_SERVER['REMOTE_USER']; // using an authentication mechanisim

$userfile     = $_POST['user_submitted_filename'];

$homedir      = "/home/$username";

$filepath     = "$homedir/$userfile";

if (!ctype_alnum($username) || !preg_match('/^(?:[a-z0-9_-]|\.(?!\.))+$/iD', $userfile)) {

   die("Bad username/filename");

}

//etc...

?>

Proper Error Handling for better Security

For your web application to be secure, proper error handling should be done. Errors in your application may give hackers a weak spot through which they can access your data. So it is good to know about the errors that show up while you're developing a web application.

Proper care should be taken to hide the errors when the application is given out to the end users. Showing these errors to the end users will only make your application vulnerable. So, different configurations should be used for development and production in the best approach.

One should turn off display_star_up_errors and display_errors to hide them from the end users. But log_errors and errors_reporting should always be on. Keeping this on will log the errors without the end user knowing them.

Using the try/catch blocks, exception handling should be performed. If an exception pops up in the try block, it can be handled in the catch block.

Conclusion

PHP is a simple yet very powerful tool. Even for beginners PHP isn’t so difficult to understand and implement. The concepts are simple and just like those of C and C++. By practicing the methods and concepts that are given above, one can get good knowledge on the subject of PHP.

You can start using PHP with a little practice. I hope that this book was able to help you understand the basics of PHP. I want to thank you for choosing this book and hope you have a good read.