Unit 14: Security



            $filename  =  $_POST[‘username’];  $vetted  =  basename(realpath($filename));  if  ($filename  !==   Notes
            $vetted) { die(“$filename is not a good username”); }
            In this case, we have resolved $filename to its full path and then extracted just the filename. If
            this value does not match the original value of $filename, we have got a bad filename that we
            do not want to use.
            Once you have the completely bare filename, you can reconstruct what the file path ought to
            be, based on where legal files should go, and add a file extension based on the actual contents
            of the file:

            include(“/usr/local/lib/greetings/$filename”);
            14.2.2 Restrict Filesystem Access to a Specific Directory

            If your application must operate on the filesystem, you can set the open_basedir option to further
            secure the application by restricting access to a specific directory. If open_basedir is set in php.
            ini, PHP limits filesystem and I/O functions so that they can operate only within that directory
            or any of its subdirectories. For example:

            open_basedir = /some/path
            With this configuration in effect, the following function calls succeed:
            unlink(“/some/path/unwanted.exe”); include(“/some/path/less/travelled.inc”);

            But these generate runtime errors:
            $fp = fopen (“/some/other/file.exe”, “r”); $dp = opendir(“/some/path/../other/file.exe”);
            Of course, one web server can run many applications, and each application typically stores files
            in its own directory. You can configure open_basedir on a per-virtual host basis in your httpd.
            conf file like this:
            <VirtualHost 1.2.3.4> ServerName domainA.com DocumentRoot /web/sites/domainA php_
            admin_value open_basedir /web/sites/domainA </VirtualHost>
            Similarly, you can configure it per directory or per URL in httpd.conf:
            # by directory <Directory /home/httpd/html/app1> php_admin_value open_basedir /home/
            httpd/html/app1 </Directory> # by URL <Location /app2> php_admin_value open_basedir
            /home/httpd/html/app2 </Location>

            The open_basedir directory can be set only in the httpd.conf file, not in .htaccess files, and
            you must use php_admin_value to set it.




                        Develop a PHP program to access a specific directory from your system.


            14.3 File Uploads

            File uploads  are  potentially the  biggest security risk  in  web development.  Allowing  a  third
            party to place files on your server could allow them to delete your files, empty your database,
            gain user details and much more.
            However, it is certainly possible to upload files safely, and such functionality can be a great
            feature of your site.




                                             LOVELY PROFESSIONAL UNIVERSITY                                   355