PHP Security Leading Practice

Revision as of 04:47, 24 October 2007 by EoinKeary (Talk | contribs)

Jump to: navigation, search

Global Variables

One does not need to explicitly create "global variables" this is done via the php.ini file by setting the "register_globals" function on. register_globals has been disabled by default since PHP 4.1.0

Include directives in PHP can be vulnerable if register_globals is enabled.


include "$dir/script/dostuff.php";

With register_globals enabled the $dir variable can be passed in via the query string:


This would result in the $dir being set to:


include "";


Appending global variables to the URL may be a way to circumvent authentication:




if this page was requested with register_globals enabled using the following parameter ?authorised=1 in the query string the athentication functionalotu assuems the used is authorised to proceed. Without register_globals enabled the variable $authorised would not be affected by the $authorised=1 parameter.


When reviwewing PHP code make sure you can see the initialization value is in a "secure default" state. For example $authorised = false;

Error handling

If possible check if one has turned off error reporting via php.ini and if "error_reporting" off.

File Manipulation

allow_url_fopen enabled by default in PHP.ini This allows URL's to be treated like local files. URL's with malicious scripting may be included and treated like a local file.

HTTP request Handling

The Dispatch method is used as a "funnel" wherein all requests are passed through it. One does not access other PHP files directly but rather via the dispatch.php. This could be akin to a global input validation class wherein all traffic passes.

Relating to security it is leading practice to implement validation at the top of this file. All other modules required can be include or require and in a different directory.

Including a method: If a dispatch.php method is not being used look for includes at the top of each php file. The include method may set a state such that the request can proceed.

It may be an idea to check out PHP.ini and look for the auto_prepend_file directive. This may reference an automatic include for all files.

Good Things to Use

strip_tags(): Removes any HTML from a String nl2br(): Converts new line characters to HTML break "br" htmlspecialchars():