Untitled

Secure Your PHP Scripts ? ;

PHP security is very important, as insecure php code can trigger in intrusion to your server. This article explains few such vulnerabilities, so that you can avoid them in your scripts. I will also explain methods to tweak PHP config files(php.ini) for maximum security.
PHP run with Nobody Permission
Problem:
In Cpanel servers PHP runs with nobody permission. This may become a major security issue if the permission you have given is 777. This will allow the ‘ nobody ‘ user to edit the file and execute it. So always keep an eye on the permissions of your files.
Solution :
Always set the php script permission to 755 so that others cannot edit or change it. Enable PHPsuexec on the server. PHPsuexec will not allow php script to run as 777 permissions and also users cannot read another users’s file. In PHPsuexec enabled servers, its common to find out the source of spamming from php scripts using mail() functions. So in shared-servers, always enable phpsuexec for maximum security.
Issues with global variables
What is the difference between local and global variables ...? URL ;( http://j.gs/8gFQ )
Local and Global variables ? URL ; ( http://j.gs/8gFU )
Problem:
Using register_globals makes your coding easier. With register_globals=ON you can pass values to another php page. But making register_globals=ON can make your scripts vulnerable. Since php does not require the variables to be initialized users can assign any values to them using register_globals. With a creative mind anyone can access the protected area of the code. Here is an example.
Consider this as password.php
if ($KEY == "XXXX") {$check = 1;}
if ($check == 1) { //YOUR CODE GOES HERE( admin area)}
You can pass values as “password.php?$check=1” and will allow you to go to the “admin area” whether you entered correct KEY or not.
Solution:
One way is to disable register_globals but this will make you difficult for your coding. Otherwise make sure that you have initialized the variables.In this case initialize $check = 0. You can enable register_globals in your server but always note the security issues with it.?    sources URL ; http://q.gs/BSbkH
Problems with functions like exec() , system() and backticks ? URL sources ; http://j.gs/8gF9
Solution:
Disable insecure functions using disable_functions in php.ini ?
security - PHP: How To Disable Dangerous Functions ? URL ; ( http://j.gs/8gFa )
You can use like ,
 disable_functions = system,exec
Also you can use EsacpeShellCmd() before passing the value to system() or exec() functions. It will escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands.
EscapeShellArg() can also be used for the same purpose. It will put single quotes around the string. So it will escape any existing single quotes in the string. URL ; http://j.gs/8gF9

Including Files
You can include a php script in other php page with ‘ include ‘ .
But if the page path is passed as a variable then you may get in trouble. The user can include a remote file which may contain malicious scripts. The hacker can also include other local files also.
If our php page include.php is like
 $page=$_GET['path'];
include $page;
Then, “include.php?path=http://hackingsite.com/hacking.php” will include the remote file hacking.php so that hacker can execute the hacking.php script in your server.  URL ; ( http://j.gs/8gFE  )

Solution:
You can disable the inclusion of remote files by editing the value of allow_url_fopen. Set this as OFF in php.ini. Also set the open_basedir correctly in the php.ini . Using open_basedir will restrict the file inclusion upto to the defined directory. Also check the file name with a ‘switch’ or ‘if’ to make sure that it is an allowed one.
SQLInjection Attacks
Problem:
PHP is well packaged for its use with mysql.But using some simple techniques others can hack into your database. If your script is not secured well users can execute any sql commands.
Let me explain an example.
$user = $_POST['username'];
$pass = $_POST['password'];
$result = mysql_query("SELECT AcctNo FROM Users WHERE
Username = '".$user."' and Password = '".$pass."'");
Consider one user has entered a username as
‘ OR 1=1 #
and password as XXXX
Then our query will be
SELECT AcctNo FROM Users WHERE Username = '' OR 1=1 #' and Password = 'XXXX'
Mysql consider all after the ‘#’ as comments so it will ignore it. So with
the remaining query it will always select all the account numbers and will
return it. So the user can get the account numbers even though he does not have any correct username and pasword.
Also giving password: as some_value’ OR ‘X’=’X will also bypass this query.
Remedy:
The problem here come from the ‘ (single quotes) entered by the user. In order to disable it we have two ways. First is the function addslashes() . It will add a /(slash) before all ‘ (quotes) so it will be have no effect. So before executing the query you should pass it addslashes() function. That is, it should be like
$user = addslashes($_POST['username']);
$pass = addslashes($_POST['password']);
Another option is using the magic_quotes_gpc . You can set its value as ‘On’ in the php.ini . If it is On then it will add a backslash before all single quotes and double quotes in the string comming from a HTML form. So we can escape it.
Upto now i have described some of the common mistakes that can come across your php scripts. Next i am going explain about some of the security measures that you have to note for securing your php.
SQL Injection - W3Schools URL (http://j.gs/8gFE )
What is SQL Injection (SQLi) ? URL : ( http://j.gs/8gFJ )
SQL Injection
An SQL Injection can destroy your database.

SQL in Web Pages
In the previous chapters, you have learned to retrieve (and update) database data, using SQL. URL ; ( http://j.gs/8gFE )

When SQL is used to display data on a web page, it is common to let web users input their own search values. URL ; ( http://j.gs/8gFj )

Since SQL statements are text only, it is easy, with a little piece of computer code, to dynamically change SQL statements to provide the user with selected data:

Server Code
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
The example above, creates a select statement by adding a variable (txtUserId) to a select string. The variable is fetched from the user input (Request) to the page.

The rest of this chapter describes the potential dangers of using user input in SQL statements. URL ; ( http://j.gs/8gFk )

SQL Injection
SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.?
 URL ; ( http://j.gs/8gFp )

Injected SQL commands can alter SQL statement and compromise the security of a web application. ? URL ; ( http://j.gs/8gFx )

SQL Injection Based on 1=1 is Always True
Look at the example above, one more time.

Let's say that the original purpose of the code was to create an SQL statement to select a user with a given user id.?
URL ; (http://j.gs/8gG0 )

If there is nothing to prevent a user from entering "wrong" input, the user can enter some "smart" input like this:

UserId:

105 or 1=1

Server Result
SELECT * FROM Users WHERE UserId = 105 or 1=1;
The SQL above is valid. It will return all rows from the table Users, since WHERE 1=1 is always true.

Does the example above seem dangerous? What if the Users table contains names and passwords?

The SQL statement above is much the same as this:

SELECT UserId, Name, Password FROM Users WHERE UserId = 105 or 1=1;
A smart hacker might get access to all the user names and passwords in a database by simply inserting 105 or 1=1 into the input box.?
URL ; (http://j.gs/8gG4 )

SQL Injection Based on ""="" is Always True
Here is a common construction, used to verify user login to a web site:

User Name:

John Doe

Password:

myPass

Server Code
uName = getRequestString("UserName");
uPass = getRequestString("UserPass");

sql = 'SELECT * FROM Users WHERE Name ="' + uName + '" AND Pass ="' + uPass + '"'
Result
SELECT * FROM Users WHERE Name ="John Doe" AND Pass ="myPass"
A smart hacker might get access to user names and passwords in a database by simply inserting " or ""=" into the user name or password text box:

User Name:

" or ""="

Password:

" or ""="

The code at the server will create a valid SQL statement like this:
 ? URL ; (http://j.gs/8gFj )
Result
SELECT * FROM Users WHERE Name ="" or ""="" AND Pass ="" or ""=""
The result SQL is valid. It will return all rows from the table Users, since WHERE ""="" is always true.

SQL Injection Based on Batched SQL Statements
Most databases support batched SQL statement, separated by semicolon.

Example
SELECT * FROM Users; DROP TABLE Suppliers
The SQL above will return all rows in the Users table, and then delete the table called Suppliers.

If we had the following server code:

Server Code
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = " + txtUserId;
And the following input:

User id:

105; DROP TABLE Suppliers

The code at the server would create a valid SQL statement like this:

Result
SELECT * FROM Users WHERE UserId = 105; DROP TABLE Suppliers ? URL ; ( http://j.gs/8gG6 )
Parameters for Protection
Some web developers use a "blacklist" of words or characters to search for in SQL input, to prevent SQL injection attacks.

This is not a very good idea. Many of these words (like delete or drop) and characters (like semicolons and quotation marks), are used in common language, and should be allowed in many types of input.

(In fact it should be perfectly legal to input an SQL statement in a database field.)

The only proven way to protect a web site from SQL injection attacks, is to use SQL parameters.

SQL parameters are values that are added to an SQL query at execution time, in a controlled manner.

ASP.NET Razor Example
txtUserId = getRequestString("UserId");
txtSQL = "SELECT * FROM Users WHERE UserId = @0";
db.Execute(txtSQL,txtUserId);
Note that parameters are represented in the SQL statement by a @ marker.

The SQL engine checks each parameter to ensure that it is correct for its column and are treated literally, and not as part of the SQL to be executed.

Another Example
txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
db.Execute(txtSQL,txtNam,txtAdd,txtCit);
You have just learned to avoid SQL injection. One of the top website vulnerabilities.

Examples
The following examples shows how to build parameterized queries in some common web languages.? URL ; ( http://j.gs/8gG8 )

SELECT STATEMENT IN ASP.NET:

txtUserId = getRequestString("UserId");
sql = "SELECT * FROM Customers WHERE CustomerId = @0";
command = new SqlCommand(sql);
command.Parameters.AddWithValue("@0",txtUserID);
command.ExecuteReader();
INSERT INTO STATEMENT IN ASP.NET:

txtNam = getRequestString("CustomerName");
txtAdd = getRequestString("Address");
txtCit = getRequestString("City");
txtSQL = "INSERT INTO Customers (CustomerName,Address,City) Values(@0,@1,@2)";
command = new SqlCommand(txtSQL);
command.Parameters.AddWithValue("@0",txtNam);
command.Parameters.AddWithValue("@1",txtAdd);
command.Parameters.AddWithValue("@2",txtCit);
command.ExecuteNonQuery();
INSERT INTO STATEMENT IN PHP:

$stmt = $dbh->prepare("INSERT INTO Customers (CustomerName,Address,City)
VALUES (:nam, :add, :cit)");
$stmt->bindParam(':nam', $txtNam);
$stmt->bindParam(':add', $txtAdd);
$stmt->bindParam(':cit', $txtCit);
$stmt->execute(); .......http://j.gs/8gF9
Query Parameterization Cheat Sheet - OWASP  http://q.gs/BSkYX
SQL Injection Prevention Cheat Sheet  http://j.gs/8gGH
Cryptographic Solutions for Secure Online Banking and Commerce http://j.gs/8gGM
SQL Injection Attacks and Defense  http://j.gs/8gGN
Prepared statement http://j.gs/8gGO