For many years, PHP has been a stable, inexpensive platform on which to operate web-based applications. Like most web-based platforms, PHP is vulnerable to external attacks. Developers, database architects and system administrators should take precautions before deploying PHP applications to a live server. Most of these techniques can be accomplished with a few lines of code or a slight adjustment to the application settings.
#5: Manage Setup Scripts
If the developer has installed a set of PHP scripts from a third-party application, the scripts the application uses to install the working components can also provide an access point to unscrupulous users. Most providers of third-party packages recommend removing the directory containing the setup scripts shortly after installation. For developers who wish to retain the setup scripts, they can create an .htaccess file that controls access to the administrative directories.
AuthType Basic AuthName “Administrators Only” AuthUserFile /usr/local/apache/passwd/passwords Require valid-user
Any unauthorized user who attempts to bring up a protected directory will see a prompt for a username and password. The password must match the assigned password specified in the “passwords” file.
#4: Include Files
In many instances, developers may use an individual file in several portions of an application. These scripts will contain an “include” directive that incorporates the code of the individual file into that of the originating page. When the “include” file contains sensitive information, including usernames, passwords or database access keys, the file should have a “.php” extension, rather than the typical “.inc” extension. The “.php” extension insures that the PHP engine will process the file and prevent any unauthorized views.
#3: MD5 vs. SHA
In situations where end users create their own usernames and passwords, site administrators will often include functionality to encrypt the password data before the form submits the form field entry to the database field. In past years, developers have used the md5 (Message Digest algorithm) function to encrypt passwords into a 128-bit string. Today, many developers use the SHA-1 (Secure Hash Algorithm) function to create a 160-bit string.
#2 Automatic Global Variables
The php.ini file contains a setting called “register_globals”. When the register_globals setting is on, the PHP server will create automatic global variables for many of the server’s variables and query strings. When installing third-party packages, such as content management software like Joomla and Drupal, the installation scripts will direct the user to set register_globals to “off”. Changing the setting to “off” insures that unauthorized users cannot access data by guessing the name of the variable that validates passwords.
#1 Initialize Variables and Values
Many developers have fallen into the trap of instantiating variables without defining their values, either due to time constraints, distractions, or lack of effort. Variables that validate the authentication process should have values instantiated before the login procedure begins. This simple step can prevent users from bypassing the verification routine or accessing areas of the site to which their privileges do not entitle them.
These steps can block users from starting a new session on an application, but what about protecting data during a session? Next week’s lesson will examine PHP session security.