-->

Wednesday, July 18, 2012

Get involved in PHP: Hypertext Preprocessor


PHP stands for “PHP: Hypertext Preprocessor” and it is a one of the most admired Open Source scripting language. It is mainly expected to developing web applications and dynamic web content. Therefore it can be easily embedded into HTML pages.
Similar systems are Microsoft’s ASP.NET and JSP from Sun Microsystems and additional competitors are like as Macromedia ColdFusion and the application server Zope based on the Python scripting language.
The focus of this paper is on secure programming practices in PHP. The secure configuration of both the web server and the PHP interpreter are not within the main scope of this document. However, such topics are addressed wherever they affect the programmer. For example, administrators wish to turn off certain features of the PHP interpreter in order to secure the system. To allow such hardening measures it is important that these features are not utilized by the PHP developer.
PHP as a programming language is effortless to learn and effortless to utilize. This is also the reason for its popularity. Unfortunately, PHP does not only make it effortless to write applications, it also comes with certain features that make it effortless to write insecure code.
This essay gives guidelines on how to avoid precarious language constructs and features. Moreover, it gives instructions on how to perform proper security checks that help to defend against common attacks. Each section deals with a specific security problem or function group and is accompanied by a list of recommendations. These recommendations can be utilized as a checklist during the development phase and for security assessments.

Following steps as the general outline of the Article

  • General Utilizes Input Handling: This section deals with general aspects that how to handle utilizes input, how to filter and validate it, so it does not contain any malicious data.
  • File Handling covers security aspects related to file handling. For example, it gives details on how PHP handles access to files on remote systems and the associated risks.
  • Include Files: The PHP include statement allows programmer to include the contents of other files into a script. This section mainly takes care of the risks that the contents of these include files is exposed to attackers and the risk that attackers exploit improper usage of the include statement for injecting their own code.
  • Command Handling: This section deals with security aspects related to commands that are passed to and are executed by the system shell.
  • Databases: Typical security issues of database systems like SQL injection attacks are part of this section.
  • Sessions: Information about how to properly utilize the PHP session functions constitutes this section.
  • General PHP Interpreter Configuration: Finally, this section adds information on general configuration options of the PHP interpreter. Especially important are the instructions on how to configure and utilize PHP’s error reporting functionality.
During the development phase think about ways to bypass restrictions and misutilize functionality. All users input must be mistrusted and thoroughly checked. Utilize library function when they exist instead of writing your counterparts. Chances are that the library functions are reviewed by many people and that they contain less error than a custom function that serves the same purpose. This is especially true when it comes to encryption algorithms.

1 comment: