Page 1 of 1

How can I secure my scripts?

Posted: Sun Aug 18, 2002 11:00 am
by theChosen
Hello everyone, this is my first post to this forum so I would like to thank all the admins for doing such a great job running it. Nice work!

Now, for my question, as a matter of fact it is a 'open-for-discussion' topic. For a couple of months I've been doing php scripts for my personal use/website, so I didn't care much about securing them. But now things have changed as I've got a part-time job as a php/mysql coder and I can't let any room for 'evil' crackers to break my scripts.

So, I would like to ask you to give me some general pointers on how to setup scripts/validate input/etc... you get it, tips&tricks of the php gurus :)

Regards,
theChosen.

Posted: Sun Aug 18, 2002 12:46 pm
by volka
what comes first to my mind
  • code and test with error_reporting=E_ALL but reduce level at production machine
  • never put php-data (like db-password-strings) in files with name-extensions other than .php (i.e. .inc)
to be continued ;)

Posted: Sun Aug 18, 2002 1:01 pm
by lc
go look here...

http://www.devnetwork.net/forums/viewtopic.php?t=1824

I got a lot of very good advice from the peoplez ;)

Posted: Sun Aug 18, 2002 4:05 pm
by theChosen
What I am most curious about are exploit examples (things people might insert into the textboxes/textareas, append to the script name and send as GET variables etc) and how to protect one from such attacks.

Here's an example from phpAdvisory.com:
A vulnerability was reported in the phpBB bulletin board software. When used with the 'Gender Mod' modification, a remote authenticated user can gain administrative privileges on the forum.

It is reported that Gender Mod contains an input validation flaw that allows remote authenticated users to inject SQL fields into the UPDATE sql command. A remote user can assign the value 'user_level = 1' to gain administrator privileges on the bulletin board.

The following demonstration exploit steps are provided:

1. Save the User Profile page into your disk to modify it offline.

2. Add the correct full post action address (http://forum.victim.com/...):
<FORM action=http://forum.victim.com/profile.php?sid ... session_id> method=post encType=multipart/form-data>

3. Modify the HTML Form so that the input field "gender" has value like:
<input type=text name=gender value="0, user_level = 1 ">

4. Load this page in the same browser window where the cookie is still available.

Then, hit 'Submit' to change the user profile.