Page 355 - Open Soource Technologies 304.indd
P. 355

Unit 14: Security



            14.1.1 Initialize Variables                                                           Notes
            Always initialize your variables. The superuser security hole in the previous example would
            not exist if the code had been written like this:
            <?php $superuser = false; if (check_privileges( )) { $superuser = true; } // ... ?>
            when your script uses a variable before it initializes it to some value. For example, the following
            script uses $a before setting it, so a warning is generated:



            <html>

            <head>
            <title>Sample</title>
            </head>
            <body>
            <?php echo $a; ?>
            </body>

            </html>
            The following php.ini directives are recommended for production systems:

            display_errors = off log_errors = On error_log = /var/log/php_errors.log
            These directives ensure that PHP error messages are never shown directly on your web pages.
            Instead, they are logged to the specified file.

            14.1.2 Set Variables Order
            The default PHP configuration automatically creates global variables from the environment,
            cookies, server information, and GET and POST parameters. The variables_order directive
            in  php.ini controls the order and presence of these variables. The default value is “EGPCS”,
            meaning that first the environment is turned into global variables, then GET parameters, then
            POST parameters, then cookies, then server information.

            Allowing GET requests, POST requests, and cookies from the browser to create arbitrary global
            variables in your program is dangerous. A reasonable security precaution is to set variables_order
            to “ES”:
            variables_order = “ES”
            For maximum safety, you can disable register_globals in your php.ini file to prevent any global
            variables from being created. However, changing register_globals or variables_order will break
            scripts that were written with the expectation that form parameters would be accessible as global
            variables. To fix this problem, add a section at the start of your code to copy the parameters
            into regular global variables:
            $name = $_REQUEST[‘name’]; $age = $_REQUEST[‘age’]; // ... and so on for all incoming form
            parameters

            14.1.3 Data Filtering
            Data  filtering  is  the  cornerstone  of  web  application  security,  and  this  is  independent  of
            programming language or platform. It involves the mechanism by which you determine the
            validity of data that is entering and exiting the application, and a good software design can
            help developers to:


                                             LOVELY PROFESSIONAL UNIVERSITY                                   349
   350   351   352   353   354   355   356   357   358   359   360