PHP Security Article
I’ve released part one of what I hope will be a series of PHP security articles — a PHP Script Checklist for those developing or looking to develop their own scripts. If you have any thoughts on PHP security problems that you’d like to be covered in part 2, or you’re an ‘expert’ and want to correct part of my article, feel free to comment.
On a similar note, I’m becoming more and more aware of ‘teen’ (that is, developed by teens) PHP scripts with major security holes and will hopefully be releasing a series of security reviews and suggestions on them either via my blog or via my Scribblings section.
Rosemarie said:
On 03 Aug at 7:28 pm
:O :P
Jem said:
On 03 Aug at 7:30 pm
Be gone, foul spam. :P
Rosemarie said:
On 03 Aug at 7:32 pm
A face is worth a thousand words! :O = Oh my, security and teen scripts! :P = A private wink about security pages. See? My madness has two methods!
Jem said:
On 03 Aug at 7:34 pm
That’s not a wink, it’s a tongue! :o
Anne said:
On 03 Aug at 7:45 pm
:P Thanks for putting this together! When I finally get my butt into gear and learn PHP, I’m sure it will be useful!
Jim said:
On 03 Aug at 7:50 pm
Just thought I’d note that if your reviews contain vulnerabilities that can be exploited, you should notify the author and give them some time to patch it before you go public. That’s the ‘ethical’ approach.
Jem said:
On 03 Aug at 7:52 pm
@Jim: Yeah, I was planning to. That’s the only reason why I’ve not got a links list of bad scripts already.
John Malloc said:
On 04 Aug at 1:44 am
Probably worth adding, i’ve seen a lot of “teen” php scripts that don’t do extension or filetype checking with their upload forms.
Amanda said:
On 04 Aug at 1:52 am
Currently? I have zero plans to venture into PHP, but I can see how this will be helpful. Oh, and what happened to releasing BellaBuffs on the 1st of August? :P
Jenny said:
On 04 Aug at 2:24 am
As usual, great security overview! The only thing I might add (although I admit I almost never use it) is truncating user data to an expected length. Say, if you expect a username to be no more than 20 characters, the first step would be to use substr() to ensure that it is
Jenny said:
On 04 Aug at 2:28 am
Sorry about the double posts — it looks like your validation doesn’t like the less than or equal to symbol. Continuing: As to the $_SERVER variables, I know the user can manipulate the reported HTTP_USER_AGENT and HTTP_REFERER, but can they do anything to REMOTE_ADDR (other than using a proxy) or REQUEST_URI? PS — And again as usual, I love the new look!
Jem said:
On 04 Aug at 8:45 am
@Amanda: I typoed. I meant the 4th.. which incidently is today :D @Jenny: I’ll hopefully be covering things like substr() in part two when I talk about why form attributes like type=hidden and maxlength=25 don’t work. And most of the $_SERVER global array can be manipulated so it’s easier to sanitise the whole lot than try and figure out which ‘parts’ individually.
Vixx said:
On 04 Aug at 9:22 am
A useful resource – thanks for sharing, Jem. :) V xx
Shannon said:
On 04 Aug at 1:19 pm
Oh… Jem. You used that excuse of ‘I typo-ed.’ It’s all cool, though. I didn’t notice at all. I’ll read the durned security list. Thing.
Katie said:
On 06 Aug at 9:34 am
Mm, the whole “teen” thing is a little bit of a generalization. I’m a teen, and I don’t write crap scripts or anything like that. Besides, people who are not teens can still write bad scripts with security holes. Still, I shall be reading that article.
Jem said:
On 06 Aug at 10:51 am
@Katie: I didn’t say that teens automatically write bad scripts, nor am I ignoring the fact that adults can write bad scripts too – I am just writing at *my* audience – generally teenagers and young adults, a large amount of whom are getting into php scripting. I was a teen not long ago myself, I’m not going to stick them all in the same basket.
Mandolin said:
On 07 Aug at 6:51 pm
Oh Jem, always and forever protecting the internet from security holes. What would the Internet do without you??