I’ve released part one of what I hope will be a series of PHP security articles — a PHP Script Checklist for those developing or looking to develop their own scripts. If you have any thoughts on PHP security problems that you’d like to be covered in part 2, or you’re an ‘expert’ and want to correct part of my article, feel free to comment.
On a similar note, I’m becoming more and more aware of ‘teen’ (that is, developed by teens) PHP scripts with major security holes and will hopefully be releasing a series of security reviews and suggestions on them either via my blog or via my Scribblings section.
03 Aug at 7:28 pm
:O :P
03 Aug at 7:30 pm
Be gone, foul spam. :P
03 Aug at 7:32 pm
A face is worth a thousand words! :O = Oh my, security and teen scripts! :P = A private wink about security pages. See? My madness has two methods!
03 Aug at 7:34 pm
That’s not a wink, it’s a tongue! :o
03 Aug at 7:45 pm
:P Thanks for putting this together! When I finally get my butt into gear and learn PHP, I’m sure it will be useful!
03 Aug at 7:50 pm
Just thought I’d note that if your reviews contain vulnerabilities that can be exploited, you should notify the author and give them some time to patch it before you go public. That’s the ‘ethical’ approach.
03 Aug at 7:52 pm
@Jim: Yeah, I was planning to. That’s the only reason why I’ve not got a links list of bad scripts already.
04 Aug at 1:44 am
Probably worth adding, i’ve seen a lot of “teen” php scripts that don’t do extension or filetype checking with their upload forms.
04 Aug at 1:52 am
Currently? I have zero plans to venture into PHP, but I can see how this will be helpful. Oh, and what happened to releasing BellaBuffs on the 1st of August? :P
04 Aug at 2:24 am
As usual, great security overview! The only thing I might add (although I admit I almost never use it) is truncating user data to an expected length. Say, if you expect a username to be no more than 20 characters, the first step would be to use substr() to ensure that it is
04 Aug at 2:28 am
Sorry about the double posts — it looks like your validation doesn’t like the less than or equal to symbol. Continuing: As to the $_SERVER variables, I know the user can manipulate the reported HTTP_USER_AGENT and HTTP_REFERER, but can they do anything to REMOTE_ADDR (other than using a proxy) or REQUEST_URI? PS — And again as usual, I love the new look!
04 Aug at 8:45 am
@Amanda: I typoed. I meant the 4th.. which incidently is today :D @Jenny: I’ll hopefully be covering things like substr() in part two when I talk about why form attributes like type=hidden and maxlength=25 don’t work. And most of the $_SERVER global array can be manipulated so it’s easier to sanitise the whole lot than try and figure out which ‘parts’ individually.
04 Aug at 9:22 am
A useful resource – thanks for sharing, Jem. :) V xx
04 Aug at 1:19 pm
Oh… Jem. You used that excuse of ‘I typo-ed.’ It’s all cool, though. I didn’t notice at all. I’ll read the durned security list. Thing.
06 Aug at 9:34 am
Mm, the whole “teen” thing is a little bit of a generalization. I’m a teen, and I don’t write crap scripts or anything like that. Besides, people who are not teens can still write bad scripts with security holes. Still, I shall be reading that article.
06 Aug at 10:51 am
@Katie: I didn’t say that teens automatically write bad scripts, nor am I ignoring the fact that adults can write bad scripts too – I am just writing at *my* audience – generally teenagers and young adults, a large amount of whom are getting into php scripting. I was a teen not long ago myself, I’m not going to stick them all in the same basket.
07 Aug at 6:51 pm
Oh Jem, always and forever protecting the internet from security holes. What would the Internet do without you??