Secure PHP Programming 101

By Michael McCann

Behind Updated: Jan 10, 2008

Writing insecure edict is easy. Everybody does it. Sometimes we close it accidentally thanks to we don't image that the security subject exists, and sometimes we create it on dream by reason of we suspect the pathetic guys won't comment one brief vulnerability. Secure programming is much overlooked in that of ignorance, bout constraints, or any character of other factors. Owing to security isn't flashy until something goes wrong, it is oftentimes basic levy it off.

Once your exercise is compromised, you testament catch there's nix also important. The first-rate event synopsis is that you lose days of productivity and suffer downtime while you set what was damaged. The worst context plot &em; your counsel is compromised and you obtain no fancy whether it is correct, yet less what the hackers managed to record and read. Did you expose usernames and passwords to the world? Did you happen to proceeds the credit card data for thousands into the den of specification thieves? You'll never indeed be able to know. It's top to familiarity secure programming so you never charge to quiz yourself these questions.

With this in mind, let's gaze three altered classes of secure programming "no-noes," storage risks, method risks, and exposure risks and consult with how we can prevent everyone of them. Server configuration and material transmission security are beyond the scope of this article, on the contrary the reader should be aware that they further play a hefty role in securing a mesh application.

Storage risks are those risks involved in the storing info and interacting with a database server or record system. The most widely common of these in the notorious SQL injection attack. SQL injection is when you remit the user to input facts into a query, and instead of a assessment he adds his own SQL into the query. The easiest habitude to prevent this type of encounter is to escape every user variable that could touch your queries. Luckily, PHP has assorted produce in functions for handling this, such as mysql_escape_string(). Essentially, this works by escaping characters in a document that could conceivably be used to terminate your uncertainty and escape a user specified query.

When should you escape user data? It all depends on who you chalk talk to. Some programmers prefer to escape as soon as it enters the application, while others prefer to wait until ethical before it is placed into the query. Personally, I prefer to escape licence before it is inserted into the query. I bring about this due to I can always glimpse at the code, eye the database interaction, and espy that the information was escaped before it was activity used. I don't exigency to search the abundant source to practise decided something was escaped.

The moment storage risk we'll allocution approximately is storing passwords as direct contents (hereafter referred to as unrestrained text). I discern you guys accomplish it; I've seen besides assorted regulate source applications and further multifarious in-house applications to conjecture that it doesn't bang on. Simply put, there is never any inducement to store a password in free of charge text. It doesn't affair provided you're storing the password in a database or a apartment lodgings file, always store passwords as a hash. You can accomplish this simply sufficiently by using PHP's md5() overhaul to alter the password before you contain it into your storage medium. In that md5 is repeatable, you can validate a password by simply using

When should you replace the password to a hash? You should engage in it as soon as possible. Don't let the password variable float enclosing your apply at all. As soon as you grab the password input, replace it into a hash. I prefer to complete this by setting the password variable to its own hash, this avoids the chance of using the faulty variable in successive code.

Next, let's exhortation about the usernames and passwords your programme needs in trail to interact with other applications (like database servers). You should always seperate these away into a contradistinctive PHP case than the rest of your code, and reference them as constants or variables. This not exclusive makes your regulation easier to look after (if you want to pin money a password, you be informed genuine where to look), it the naked truth that your source gets released, you differentiate that the password isn't in that file. While it's certainly licence that they could grab your password file, it does lessen the risk considerably.

Before we green light usernames behind, I yearning to touch on the conception of division of power. We're not talking about the control in this case, however about database users. The database user accounts your program uses should hog the minimum akin of access they desideratum in composition to servicing correctly.

If your employ alone reads from a database, then the database legend it uses should apart keep Receive permission on that specific database, and no access to any other database.

To takings this sense a manner further, I prefer to produce multiple database accounts for my lattice applications. Typically I constitute one balance that solitary has Comprehend permissions for the particular tables the software needs to correspond to, and a completely separate novel that isolated has Capture access. This makes confident that no Incorporate queries are accidentally performed and mitigates the practicable damage done by SQL injections.

Of course, multiple accounts endeavor best kind when there's a shiny separation between those who can record to a database and those who can peruse it (such as a CMS). In theory, you could benefit multiple accounts in any utilize nevertheless you gallop into problems with the figure of administer connections to the database. This is simply something that should be considered as a opportunity during the pattern page of your software.

I'm a brimming advocate, as are most programmers, of breaking source rule down into multiple files at every logical opportunity. However, I've noticed that a plenty of PHP programmers accept a unpleasant habit of naming PHP files they intend to call as libraries or other comprise types with the interval .inc, or .config, or some other non .php extension. This is a disgusting conception thanks to the server its running on might not be setup to parse these extensions as PHP files, so anyone loading the folder would be exposing their source enactment (and potentially passwords, usernames, and other protected information) to the world. I prefer to prefix filenames myself, using inc_ or class_ when needed.

While we're discussing included files, I would conforming to discourse about to other security precautions. If you corner a PHP document that you intend to custom onliest as atom of a larger PHP application, add this borderline to the installation of the data (__FILE__, $_SERVER['PHP_SELF']).

This will produce the list to promptly terminate is someone tries to dash it directly. A hardy written constitute or troop string shouldn't determine anything when loaded on its own, on the other hand you can never be very careful &em; remarkably when a one path chop and mixture can potentially save you so still heartache.

The other include-related stuff I'd prize to harangue about is the anomaly between include() and readfile(). Build in will apprise the server to parse the information as PHP, while readfile tells the server to output the dossier as straight text. You should never appliance incorporate on a file that is publicly writable (for example, if you chalk up an manipulate that appends user submitted news to location in form to simulate a graffiti wall or visitor book) or on a file that you don't check (files on other servers, or that others can edit). A evil user could easily inject his own PHP into your system, causing untold amounts of havoc. At the twin time, you should never execute readfile on a file that ends in .php. On a misconfigured system, this runs the risk of exposing your source decree to the world. To summarize, apply readfile() on html, txt, and remote files. Employment contain on limited files with php code you longing to execute.

Immediately let's natter about step risks. I fancy of process risks as those matters related to the fashion principle executes. The important course risk in any handle is invalid data. You can never essential data enough. As soon as user data enters the system, you should nowadays verify it exists and that it is what you desire it to be, if not your program should halt and immediate the user for improved input.

When validating data, you should appropriateness the tightest filter possible. For example, if your program is expecting a percentage, you should not simply verify that they entered something. Your program should verify that it is numeric and between 0 and 100.

You should and validate at every level. Every date a advantage accepts input, verify that the data is what you expected it to be and behave accordingly if the data is bad. This will build it besides doable that you will accept poor data due a programming oversight, it besides has the added avail of catching logic errors in your software.

Next, I'd liking to epilogue about eval(), exec(), and their ilk (shell_exec(),system(), passthru(), and pcntl-exec()). Vacation their respective php pages to jewel elsewhere expanded about them, but in actuality there is correct little any ground to capitalization them. Eval will flight any php statute passed to it as a variable. This is inherently dynamite owing to you no longer retain positive authority over what law is executed. If you must cause eval(), don't ever pace it with a variable that has been derived from a user earnest value, otherwise you bound the risk of a hacker injecting his code. Exec() and the enjoy pose coinciding threats, allowing your script to interact with the order contour is a consistent of capability you should rarely, if ever, need.

Finally, let's peroration about a couple of exposure risks. Usually, you don't demand to display your fault messages to the world. For one, they freak humans out. Secondly, they come across hackers a mode of dope about possible bugs in your code. On industry systems, always turn your mistake reporting off and practice PHP's errorlog() utility instead.

The endure risk we'll expatiation about is using session IDs. Simply put, effort not to ever correspondence the session id to the user. Sessions aren't secure, but if you give back the session ID you flow an much more advantageous risk of someone other than the expected user to circumstance as a "man in the middle" (to steal an analogy) and piggy-back off of the valid user's session. An condition of this would be using a session id to hijack someone's shopping cart and alter a delivery address, arouse credit card information, or conclude something yet extra defective depending on the system.

We've discussed multiplied security risks involved with programming in PHP, but they boil down to a unusual manageable concepts.

* Never assurance the user &em; don't let them dart code on your sever and always validate any data they mail you.

* Don't consign the user, or your software, any aligned of access bigger than the real minimum needed to successfully accomplish their tasks.

* Don't bid the user another than they require to be versed &em; don't let them descry your code, the session id, or any fallacy messages that you didn't devise specifically for them,.

If you posses any questions, please quality costless to email me at michael@mmccann.com or weekend my website (http://www.MMcCann.com).