Aug 03 2006

PHP Security Article

I’ve released part one of what I hope will be a series of PHP security articles — a PHP Script Checklist for those developing or looking to develop their own scripts. If you have any thoughts on PHP security problems that you’d like to be covered in part 2, or you’re an ‘expert’ and want to correct part of my article, feel free to comment.

On a similar note, I’m becoming more and more aware of ‘teen’ (that is, developed by teens) PHP scripts with major security holes and will hopefully be releasing a series of security reviews and suggestions on them either via my blog or via my Scribblings section.

17

Tags: , , , , .

Warning

This post is over 6 months old. This means that, despite my best intentions, it may no longer be accurate. Age, motherhood, experience, loss... these things have all changed me from when this blog was started back in the heady (ha) days of my youth.

As much as I would like to go back and edit 10 years of archives to provide an insight into the 'me' of now — to update coding snippets and revise website advice — it would probably take years to do so (by which point I'd have to start again!) This would defeat the point of keeping these archives anyway.

Please take these posts for what they are: a brief look into my past, my history, my journey.

17 Responses so far

  1. Rosemarie says: August 3, 2006 at 7:28 pm # ·

    :O :P

  2. Jem says: August 3, 2006 at 7:30 pm # ·

    Be gone, foul spam. :P

  3. Rosemarie says: August 3, 2006 at 7:32 pm # ·

    A face is worth a thousand words! :O = Oh my, security and teen scripts! :P = A private wink about security pages. See? My madness has two methods!

  4. Jem says: August 3, 2006 at 7:34 pm # ·

    That’s not a wink, it’s a tongue! :o

  5. Anne says: August 3, 2006 at 7:45 pm # ·

    :P Thanks for putting this together! When I finally get my butt into gear and learn PHP, I’m sure it will be useful!

  6. Jim says: August 3, 2006 at 7:50 pm # ·

    Just thought I’d note that if your reviews contain vulnerabilities that can be exploited, you should notify the author and give them some time to patch it before you go public. That’s the ‘ethical’ approach.

  7. Jem says: August 3, 2006 at 7:52 pm # ·

    @Jim: Yeah, I was planning to. That’s the only reason why I’ve not got a links list of bad scripts already.

  8. John Malloc says: August 4, 2006 at 1:44 am # ·

    Probably worth adding, i’ve seen a lot of “teen” php scripts that don’t do extension or filetype checking with their upload forms.

  9. Amanda says: August 4, 2006 at 1:52 am # ·

    Currently? I have zero plans to venture into PHP, but I can see how this will be helpful. Oh, and what happened to releasing BellaBuffs on the 1st of August? :P

  10. Jenny says: August 4, 2006 at 2:24 am # ·

    As usual, great security overview! The only thing I might add (although I admit I almost never use it) is truncating user data to an expected length. Say, if you expect a username to be no more than 20 characters, the first step would be to use substr() to ensure that it is

  11. Jenny says: August 4, 2006 at 2:28 am # ·

    Sorry about the double posts — it looks like your validation doesn’t like the less than or equal to symbol. Continuing: As to the $_SERVER variables, I know the user can manipulate the reported HTTP_USER_AGENT and HTTP_REFERER, but can they do anything to REMOTE_ADDR (other than using a proxy) or REQUEST_URI? PS — And again as usual, I love the new look!

  12. Jem says: August 4, 2006 at 8:45 am # ·

    @Amanda: I typoed. I meant the 4th.. which incidently is today :D @Jenny: I’ll hopefully be covering things like substr() in part two when I talk about why form attributes like type=hidden and maxlength=25 don’t work. And most of the $_SERVER global array can be manipulated so it’s easier to sanitise the whole lot than try and figure out which ‘parts’ individually.

  13. Vixx says: August 4, 2006 at 9:22 am # ·

    A useful resource – thanks for sharing, Jem. :) V xx

  14. Shannon says: August 4, 2006 at 1:19 pm # ·

    Oh… Jem. You used that excuse of ‘I typo-ed.’ It’s all cool, though. I didn’t notice at all. I’ll read the durned security list. Thing.

  15. Katie says: August 6, 2006 at 9:34 am # ·

    Mm, the whole “teen” thing is a little bit of a generalization. I’m a teen, and I don’t write crap scripts or anything like that. Besides, people who are not teens can still write bad scripts with security holes. Still, I shall be reading that article.

  16. Jem says: August 6, 2006 at 10:51 am # ·

    @Katie: I didn’t say that teens automatically write bad scripts, nor am I ignoring the fact that adults can write bad scripts too – I am just writing at *my* audience – generally teenagers and young adults, a large amount of whom are getting into php scripting. I was a teen not long ago myself, I’m not going to stick them all in the same basket.

  17. Mandolin says: August 7, 2006 at 6:51 pm # ·

    Oh Jem, always and forever protecting the internet from security holes. What would the Internet do without you??