Writing Secure PHP

I l @ ve RuBoard

While PHP does not have the same security concerns that you might find using CGI scripts or ASP, they still exist. There are a several considerations to keep in mind while programming.

The first recommendation I would make is that files which contain sensitive information such as passwords be placed outside of the Web document root. Every Web server application uses a folder as the default root for Web documents. Items within the folder can be accessed via a URL but items located above the default folder cannot be. However, they can still be used within PHP with the line:

 require ("../secure.php"); 

The above line of code will include the file secure.php which is located one folder above the current document (Figure B.2). The file cannot be directly accessed via the Web though as it is outside of the default Web document root.

Figure B.2. This folder is above the Web document root folder (www or dmcinsights-www) and is therefore unavailable to user via the Web browser. I can still use it to store and access sensitive documents such as secure.php, though.

graphics/bfig02.gif

My second recommendation is a two-parter involving getting user submitted data from HTML forms. First you should always remember to use the POST form method (as opposed to GET) when transferring sensitive information. This is because the GET method will append the submitted data to the URL, making it visible in the Web browser window.

Second, you should be wary of user-submitted data because it can be a common loophole through which malicious users can wreak havoc with your system. Clever people may be able to insert JavaScript or executable code into your site using an HTML form. This code could send them sensitive information, alter databases, and so forth. The easiest way to preempt this sort of malfeasance is to check all incoming data using regular expressions as you saw in Chapter 8, Regular Expressions. Appendix C, PHP Resources, will also direct you towards sites that contain articles on this specific topic as well as sources of example regular expression code.

Writing Secure PHP

I l @ ve RuBoard


PHP for the World Wide Web (Visual QuickStart Guide)
PHP for the World Wide Web (Visual QuickStart Guide)
ISBN: 0201727870
EAN: 2147483647
Year: 2001
Pages: 116
Authors: Larry Ullman

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net