Reducing Exploits

luiz_itape · 02-16-2006, 04:39 AM

Reducing Exploits

When dealing with PHP, especially dynamics, it's important to always consider security. Here are some simple tips that will help you deal with the most common of those problems and exploits.

1. Disable register_globals. Disabling register_globals and using $_GET to obtain URL variables is much more secure. It prevents the visitors from changing other important variables in your code. To do this do the following:

//In your .htaccess file add:
php_flag register_globals 0
//In your PHP files, make sure you're using:

Code:

<?php
$_GET[var];
?>

2. Limit the amount of text used for user input. A big problem on my sites is that they allow far too much to be controlled with text-string variables. If these strings are validated thoroughly, it can result in a number of big exploits occur. Whenever possible, use numbers and convert them into an integer before actually using them.

Code:

Bad:
<?php
//$text should be "something";
//$text could be "<iframe src=\"evilscript...\"></iframe>
echo $text;
?>

Code:

Good:
<?php
//$text has to be an integer
//$text is now much more secure
$text = (int) $text
echo $text;
?>

3. Careful with dynamic includes. I've seen numerous sites exploited because of their handling of includes. Many will just include it regardless of where it is or without any validation. That's not the way to do it as it results in numerous errors or possibly major exploits. Here's the safest way to deal with dynamic includes.
????: NamePros.com http://www.namepros.com/webmaster-tutorials/168065-reducing-exploits.html

Code:

<?php
$input = $_GET[var];
switch ($input) {
case "home":
include("folder/home.php");
break;
case "about":
include("folder/about.php");
break;
//if none of the above
default:
include("folder/default.php");
break;
}
?>

It does require some manual input, but it prevents people from executing remote code or generating errors.

4. Validate ALL user input. Validating all user input is VERY important. If you're careless you could end up having some nasty code embedded in your page or even have it defaced. There's numerous things that people can do, including inject your SQL, which you don't want to happen. Here's a couple functions PHP has which will greatly reduce these risks.

Code:

<?php
//lets strip out there HTML tags to avoid meta-refreshes and iframe redirections
$variable = strip_tags($variable);
//lets get rid of any special HTML characters which might play with our script.
$variable = htmlspecialchars($variable);
//even with the above, you'll want to give yourself some added protection again mySQL injection magic_quotes are great, but aren't always available.
if (!get_magic_quotes_gpc()) {
$variable = addslashes($variable);
}
//you will want to note that you'll want to set something up so that if they're added, they're also removed later on.
//Let's say you're letting them fill out out form and there's quite a few $_POST variables you want to validate, to get them all easily use array_map
$_POST = array_map('strip_tags',$_POST);
$_POST = array_map('htmlspecialchars',$_POST);
if (!get_magic_quotes_gpc()) {
$_POST = array_map('addslashes',$_POST);
}
?>

Don't be afraid to go great lengths to making your scripts as secure as possible. These are just a few of the things you can do to help. There's certainly more to consider, but these are important for every developer to consider.

02-16-2006, 04:39 AM	THREAD STARTER #1 (permalink)
luiz_itape New Member Join Date: Feb 2006 Posts: 3	Reducing Exploits Reducing Exploits When dealing with PHP, especially dynamics, it's important to always consider security. Here are some simple tips that will help you deal with the most common of those problems and exploits. 1. Disable register_globals. Disabling register_globals and using $_GET to obtain URL variables is much more secure. It prevents the visitors from changing other important variables in your code. To do this do the following: //In your .htaccess file add: php_flag register_globals 0 //In your PHP files, make sure you're using: Code: <?php $_GET[var]; ?> 2. Limit the amount of text used for user input. A big problem on my sites is that they allow far too much to be controlled with text-string variables. If these strings are validated thoroughly, it can result in a number of big exploits occur. Whenever possible, use numbers and convert them into an integer before actually using them. Code: Bad: <?php //$text should be "something"; //$text could be "<iframe src=\"evilscript...\"></iframe> echo $text; ?> Code: Good: <?php //$text has to be an integer //$text is now much more secure $text = (int) $text echo $text; ?> 3. Careful with dynamic includes. I've seen numerous sites exploited because of their handling of includes. Many will just include it regardless of where it is or without any validation. That's not the way to do it as it results in numerous errors or possibly major exploits. Here's the safest way to deal with dynamic includes. ????: NamePros.com http://www.namepros.com/webmaster-tutorials/168065-reducing-exploits.html Code: <?php $input = $_GET[var]; switch ($input) { case "home": include("folder/home.php"); break; case "about": include("folder/about.php"); break; //if none of the above default: include("folder/default.php"); break; } ?> It does require some manual input, but it prevents people from executing remote code or generating errors. 4. Validate ALL user input. Validating all user input is VERY important. If you're careless you could end up having some nasty code embedded in your page or even have it defaced. There's numerous things that people can do, including inject your SQL, which you don't want to happen. Here's a couple functions PHP has which will greatly reduce these risks. Code: <?php //lets strip out there HTML tags to avoid meta-refreshes and iframe redirections $variable = strip_tags($variable); //lets get rid of any special HTML characters which might play with our script. $variable = htmlspecialchars($variable); //even with the above, you'll want to give yourself some added protection again mySQL injection magic_quotes are great, but aren't always available. if (!get_magic_quotes_gpc()) { $variable = addslashes($variable); } //you will want to note that you'll want to set something up so that if they're added, they're also removed later on. //Let's say you're letting them fill out out form and there's quite a few $_POST variables you want to validate, to get them all easily use array_map $_POST = array_map('strip_tags',$_POST); $_POST = array_map('htmlspecialchars',$_POST); if (!get_magic_quotes_gpc()) { $_POST = array_map('addslashes',$_POST); } ?> Don't be afraid to go great lengths to making your scripts as secure as possible. These are just a few of the things you can do to help. There's certainly more to consider, but these are important for every developer to consider.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Reducing page size	suthra	Programming	5	10-28-2005 05:23 AM

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)