User login

Home
 PHP Security Audit

PHP Security Audit

Submitted by Benjamin Melançon on February 26, 2007 - 8:33am
in

This is a general review of ensuring security in PHP and is a background for and supplement to Drupal Handbook's writing secure code.

Filter all incoming data

Create a tree diagram for every input. Every time information is assigned to another variable, it taints that one also. Just like zombie bites.

Escape all outgoing data

Includes SQL queries and HTML.

$html = array();
$html['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8');

echo "<p>Welcome back, {$html['username']}.</p>";

The content type ('UTF-8') must match that used in your HTML headers.

PHP's MySQL escaping function takes the database's entity reference into account automatically.

Identifying output and tracing backward

echo $html

Step backward looking for $html:

$html = "&lt;p&gt;$greeting&lt;/p&gt;";

Step back looking for $greeting:

$greeting = "Welcome back, $username";

Step back:

$username = $_COOKIE['username'];

That's a big problem. Trusting cookie data.

Common Gotcha's

  • Trusting HTTP Headers:
    • Referer
  • Trust of $_SERVER
  • Trust of Client-Side Restrictions:
    • maxlength

Resources:

PHP Security Consortium

Essential PHP Security

From BrainBulb (now bought out by OmniTI). Direct link to the screencast movie.

By Chris Shiflett.

This is a general review of ensuring security in PHP and is a background for and supplement to Drupal Handbook's writing secure code.

Filter all incoming data

Create a tree diagram for every input. Every time information is assigned to another variable, it taints that one also. Just like zombie bites.

Escape all outgoing data

Includes SQL queries and HTML.

$html = array();
$html['username'] = htmlentities($clean['username'], ENT_QUOTES, 'UTF-8');

echo "<p>Welcome back, {$html['username']}.</p>";

The content type ('UTF-8') must match that used in your HTML headers.

PHP's MySQL escaping function takes the database's entity reference into account automatically.

Identifying output and tracing backward

echo $html

Step backward looking for $html:

$html = "&lt;p&gt;$greeting&lt;/p&gt;";

Step back looking for $greeting:

$greeting = "Welcome back, $username";

Step back:

$username = $_COOKIE['username'];

That's a big problem. Trusting cookie data.

Common Gotcha's

  • Trusting HTTP Headers:
    • Referer
  • Trust of $_SERVER
  • Trust of Client-Side Restrictions:
    • maxlength

Resources:

PHP Security Consortium

Essential PHP Security

From BrainBulb (now bought out by OmniTI). Direct link to the screencast movie.

By Chris Shiflett.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You may post code using <code>...</code> (generic) or <?php ... ?> (highlighted PHP) tags.
  • You can use Markdown syntax to format and style the text. Also see Markdown Extra for tables, footnotes, and more.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <img> <blockquote> <small> <h2> <h3> <h4> <h5> <h6> <sub> <sup> <p> <br> <strike> <table> <tr> <td> <thead> <th> <tbody> <tt> <output>
  • Lines and paragraphs break automatically.

More information about formatting options

By submitting this form, you accept the Mollom privacy policy.