How can I secure my scripts?

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
theChosen
Forum Newbie
Posts: 15
Joined: Sun Aug 18, 2002 11:00 am
Location: RO, Europe

How can I secure my scripts?

Post by theChosen »

Hello everyone, this is my first post to this forum so I would like to thank all the admins for doing such a great job running it. Nice work!

Now, for my question, as a matter of fact it is a 'open-for-discussion' topic. For a couple of months I've been doing php scripts for my personal use/website, so I didn't care much about securing them. But now things have changed as I've got a part-time job as a php/mysql coder and I can't let any room for 'evil' crackers to break my scripts.

So, I would like to ask you to give me some general pointers on how to setup scripts/validate input/etc... you get it, tips&tricks of the php gurus :)

Regards,
theChosen.
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

what comes first to my mind
  • code and test with error_reporting=E_ALL but reduce level at production machine
  • never put php-data (like db-password-strings) in files with name-extensions other than .php (i.e. .inc)
to be continued ;)
lc
Forum Contributor
Posts: 188
Joined: Tue Apr 23, 2002 6:45 pm
Location: Netherlands

Post by lc »

go look here...

http://www.devnetwork.net/forums/viewtopic.php?t=1824

I got a lot of very good advice from the peoplez ;)
User avatar
theChosen
Forum Newbie
Posts: 15
Joined: Sun Aug 18, 2002 11:00 am
Location: RO, Europe

Post by theChosen »

What I am most curious about are exploit examples (things people might insert into the textboxes/textareas, append to the script name and send as GET variables etc) and how to protect one from such attacks.

Here's an example from phpAdvisory.com:
A vulnerability was reported in the phpBB bulletin board software. When used with the 'Gender Mod' modification, a remote authenticated user can gain administrative privileges on the forum.

It is reported that Gender Mod contains an input validation flaw that allows remote authenticated users to inject SQL fields into the UPDATE sql command. A remote user can assign the value 'user_level = 1' to gain administrator privileges on the bulletin board.

The following demonstration exploit steps are provided:

1. Save the User Profile page into your disk to modify it offline.

2. Add the correct full post action address (http://forum.victim.com/...):
<FORM action=http://forum.victim.com/profile.php?sid ... session_id> method=post encType=multipart/form-data>

3. Modify the HTML Form so that the input field "gender" has value like:
<input type=text name=gender value="0, user_level = 1 ">

4. Load this page in the same browser window where the cookie is still available.

Then, hit 'Submit' to change the user profile.
Post Reply