Page 353 - Open Soource Technologies 304.indd
P. 353
Unit 14: Security
Introduction Notes
PHP is a flexible language that has hooks into just about every API offered on the machines on
which it runs. Because it was designed to be a forms-processing language for HTML pages, PHP
makes it easy to use form data sent to a script. Convenience is a double-edged sword, however.
The very features that let you quickly write programs in PHP can open doors for those who
would break into your systems.
It is important to understand that PHP itself is neither secure nor insecure. The security of your
web applications is entirely determined by the code you write. For example, take a script that
opens a file whose name was passed as a form parameter. If you do not check the filename, the
user can give a URL, an absolute pathname, or even a relative path to back out of the application
data directory and into a personal or system directory.
It looks at several common issues that can lead to insecure scripts, such as filenames, file uploads,
and the eval( ) function. Some problems are solved through code (e.g., checking filenames before
opening them), while others are solved through changing PHP’s configuration (e.g., to permit
access only to files in a particular directory).
14.1 Global Variables and Form Data
Variables in PHP do not have to be declared, they are automatically created the first time they
are used. Nor do they have a specific type; they are typed automatically based on the context
in which they are used. This is an extremely convenient way to do things from a programmer’s
perspective (and is obviously a useful feature in a rapid application development language).
Once a variable is created it can be referenced anywhere in the program (except in functions
where it must be explicitly included in the namespace by using global). The result of these
characteristics is that variables are rarely initialized by the programmer; after all, when they
are first created they are empty (i.e “”).
Obviously the main function of a PHP based web application is usually to take in some client
input (form variables, uploaded files, cookies etc), process the input and return output based on
that input. In order to make it as simple as possible for the PHP script to access this input, it is
actually provided in the form of PHP global variables. Take the following example HTML snippet:
<FORM METHOD=”GET” ACTION=”test.php”>
<INPUT TYPE=”TEXT” NAME=”hello”>
<INPUT TYPE=”SUBMIT”>
</FORM>
Obviously this will display a text box and a submit button. When the user presses the submit
button, the PHP script test.php will be run to process the input. When it runs, the variable $hello
will contain the text the user entered into the text box. It is important to note the implications
of this, this means that a remote attacker can create any variable they wish and have it declared
in the global namespace. If instead of using the form above to call test.php, an attacker calls it
directly with a url like “http://server/test.php?hello=hi&setup=no”, not only will $hello = “hi”
when the script is run but $setup will be “no” also.
An example of how this can be a real problem might be a script that was designed to authenticate
a user before displaying some important information. For example:
if ($pass = “hello”)
$auth = 1;
...
LOVELY PROFESSIONAL UNIVERSITY 347
