PHP
stands for “PHP:
Hypertext Preprocessor”
and it is a one of the most admired Open
Source scripting language.
It is mainly expected to developing web applications and dynamic web
content. Therefore it can be easily embedded into HTML
pages.
Similar
systems are Microsoft’s
ASP.NET
and JSP from Sun Microsystems and additional competitors are like as
Macromedia ColdFusion and the application server Zope based on the
Python scripting language.
The
focus of this paper is on secure programming practices in PHP. The
secure configuration of both the web server and the PHP interpreter
are not within the main scope of this document. However, such topics
are addressed wherever they affect the programmer. For example,
administrators wish to turn off certain features of the PHP
interpreter in order to secure the system. To allow such hardening
measures it is important that these features are not utilized by the
PHP
developer.
PHP
as a programming language is effortless to learn and effortless to
utilize. This is also the reason for its popularity. Unfortunately,
PHP does not only make it effortless to write applications, it also
comes with certain features that make it effortless to write insecure
code.
This
essay gives guidelines on how to avoid precarious language constructs
and features. Moreover, it gives instructions on how to perform
proper security checks that help to defend against common attacks.
Each section deals with a specific security problem or function group
and is accompanied by a list of recommendations. These
recommendations can be utilized as a checklist during the development
phase and for security assessments.
Following steps as the general outline of the Article
- General Utilizes Input Handling: This section deals with general aspects that how to handle utilizes input, how to filter and validate it, so it does not contain any malicious data.
- File Handling covers security aspects related to file handling. For example, it gives details on how PHP handles access to files on remote systems and the associated risks.
- Include Files: The PHP include statement allows programmer to include the contents of other files into a script. This section mainly takes care of the risks that the contents of these include files is exposed to attackers and the risk that attackers exploit improper usage of the include statement for injecting their own code.
- Command Handling: This section deals with security aspects related to commands that are passed to and are executed by the system shell.
- Databases: Typical security issues of database systems like SQL injection attacks are part of this section.
- Sessions: Information about how to properly utilize the PHP session functions constitutes this section.
- General PHP Interpreter Configuration: Finally, this section adds information on general configuration options of the PHP interpreter. Especially important are the instructions on how to configure and utilize PHP’s error reporting functionality.
During
the development phase think about ways to bypass restrictions and
misutilize functionality. All users input must be mistrusted and
thoroughly checked. Utilize library function when they exist instead
of writing your counterparts. Chances are that the library functions
are reviewed by many people and that they contain less error than a
custom function that serves the same purpose. This is especially true
when it comes to encryption algorithms.
I was not aware of these points but now i got clear information about this topic. http://www.adodis.com/Client-Appreciation_Reviews.php
ReplyDelete