Securing PHP
This paper will cover the basics of securing PHP. It will first explain how you can use the php.ini file to set secure defaults for PHP. A brief description of how to prevent SQL injections follows. The paper is wrapped up with a description of Suhosin, a secure or hardened patch for PHP.
PHP is a scripting language commonly used in developing websites and web based services. It is not built into Apache, but comes as a separate package. PHP has a configuration file, php.ini, which can be found in different locations based on your operating system and version of PHP. The php.ini file contains many options that you can use to secure PHP.
If you set some of these variables in your php.ini file, things should become a bit more secure, though there are still ways that PHP can be exploited. One common way of exploiting a system is by passing commands into some form in PHP input (GET/POST/SESSION/COOKIE) and having that code be executed. For example, a user inputs ‘;ls –la’ into a form on your website. The data from the $_POST variable is then passed directly into the exec() function. The semi-colon stops the previous command and the ls-la then returns and displays all the files in your directory. Of course, ls –la isn’t the only thing that can be used; they could also execute ‘rm –rf *’ which would erase everything in the current directory.
SQL injections are also performed in the same manner. The best way to defend against these attacks is to check and validate all input before executing it or passing it into a query. Check it for unwanted characters (such as quotes, semi-colons, dashes, etc) and if it needs to be something such as a day of the week, a two digit number or a year, make sure it matches through the use of a regex (regular expression). If you are accepting input from a form into a SQL query, you definitely need to check this. Unwanted characters could compromise your entire database, and possibly the server.
You should always run addslashes() on all input first to add slashes to any quotes that may stop and restart the query. You can have PHP automatically run addslashes() on all input (GET/POST/SESSION/COOKIE) by setting the variable magic_quotes_gpc in your php.ini file to on. You may also want to install Suhosin on your server.
Sushosin is an advanced protection system for PHP installations. It is designed to protect applications from flaws in the PHP core and applications. It first patches the PHP core, preventing some buffer overflows and string format vulnerabilities. The second part implements a PHP extension that takes care of all the other features.
Suhosin has a huge feature list. There are runtime and session protections enabled, as well as different filters and logging features. Some of the runtime features include: prevention of newline (\n) attacks on mail(), prevention of infinite recursion and allowing the disabling of eval() and the preg_replace() /e modifier. The session protections are: transparent session data encryption, transparent session hijacking protection, protection against overlong session identifiers, and protection against malicious characters in session identifiers.
Sushosin filters input by ignoring input (GET/POST/SESSION/COOKIE) with certain names (such as _GET, _POST, GLOBAL) and by setting a limit on the number of REQUEST variables. Logging features include: multiple log devices, collection of IP addresses related to alerts, logging of information of alert based on category that it falls under and completely configurable logs.
In conclusion, PHP is an extremely useful scripting language that can be very vulnerable when not properly configured. With some knowledge of editing the php.ini file and a quick installation of Suhosin, your installation of PHP will be far more secure for both you and your clients.