Never, Ever, Trust Your Users
It can never be said enough times, you should never, ever, ever trust your users to send you the data you expect. I have heard many people respond to that with something like “Oh, nobody malicious would be interested in my siteâ€. Leaving aside that that could not be more wrong, it is not always a malicious user who can exploit a security hole – problems can just as easily arise because of a user unintentionally doing something wrong.
So the cardinal rule of all web development, and I can’t stress it enough, is: Never, Ever, Trust Your Users. Assume every single piece of data your site collects from a user contains malicious code. Always. That includes data you think you have checked with client-side validation, for example using JavaScript. If you can manage that, you’ll be off to a good start. If PHP security is important to you, this single point is the most important to learn. Personally, I have a “PHP Security†sheet next to my desk with major points on, and this is in large bold text, right at the top.
Global Variables
In many languages you must explicitly create a variable in order to use it. In PHP, there is an option, “register_globalsâ€, that you can set in php.ini that allows you to use global variables, ones you do not need to explicitly create.
Consider the following code:
[php]
if ($password == “my_passwordâ€) {
$authorized = 1;
}
if ($authorized == 1) {
echo “Lots of important stuff.â€;
}
[/php]
To many that may look fine, and in fact this exact type of code is in use all over the web. However, if a server has “register_globals†set to on, then simply adding “?authorized=1″ to the URL will give anyone free access to exactly what you do not want everyone to see. This is one of the most common PHP security problems.
Fortunately, this has a couple of possible simple solutions. The first, and perhaps the best, is to set “register_globals†to off. The second is to ensure that you only use variables that you have explicitly set yourself. In the above example, that would mean adding “$authorized = 0;†at the beginning of the script:
[php]
$authorized = 0;
if ($password == “my_passwordâ€) {
$authorized = 1;
}
if ($authorized == 1) {
echo “Lots of important stuff.â€;
}
[/php]
Source: http://www.addedbytes.com/writing-secure-php/writing-secure-php-1/
Comments are appriciated.