Home
Home Page
Krossbrauzernoe alignment on the center (table height=100 %)
Lists a la MS Word
Features of links « upwards pages »
Tables and borders
We get rid from cellpadding and cellspacing
Optimum use MySQL
Competent job with files: exclusive blocking of files
How to learn{find out} the size of a file on any web - server
Regular expressions
Processing of lines in RNR
Creation of system of the account of visitings
Tracking a content on dynamic sites
CSS: advice{councils} and receptions, a part 2
CSS: advice{councils} and receptions, a part 1
Ten rules of a spelling of a safe code on PHP
About tags and metatags
Potential vulnerability of php-scripts
Removal{Distance} of a line from a file
The generator of passwords
Links
topic
 

Ten rules of a spelling of a safe code on PHP

In a series of clauses{articles} " Ten Security Checks for PHP " are briefly considered{examined} 10 most often made PHP programmers of the mistakes resulting{bringing} in problems with safety of scripts.


Avoid use of variables generated on the basis of the data of the user in function of inclusion of a file (include, require) or access to a file (readfile, fopen, file). For example: include ($lib_dir. "functions.inc"); include ($page); variables $lib_dir and $page before it need to be checked up or for presence of the forbidden symbols, or to compare to beforehand certain file of allowable values:



$valid_pages = array ("apage.php" => "", another.php " => " " ", more.php " => " ");

if (! isset ($valid_pages [$page])) {

die (" Invalid request ");

}


if (! (eregi (" ^ [a-z_./] * $ ", $page) **! eregi (" \.\. ", $page))) {

die (" Invalid request ");

}


It is necessary to shield dangerous symbols (" and ') in variables participating in SQL searches. For example, the malefactor can pass a variable of a kind "password=a%27+OR+1%3Di%271" which will is used in SQL search as " Password ='a ' or 1 = ' 1 ' ". The decision: to switch on magic_quotes_gpc in php.ini or to shield variables independently through addslashes ();


Never it is necessary to trust global variables, at switched on in php.ini mode register_globals the malefactor can change value of a global variable. Use associative files $HTTP_GET_VARS and $HTTP_POST_VARS with switched off register_globals and in the beginning of a script obviously initialize all global variables.


Define{Determine} a site zakachennogo a file only through is_uploaded_file () or using move_uploaded_file (), but do not trust a global variable with a way to zakachennomu to a file which value the malefactor can change.


Use functions htmlspecialchars (), htmlentities () for shielding HTML of tags present in the data received from the user.


Protect libraries of functions from viewing their initial texts by the user (expansions .inc.class). The decision: supply libraries with expansion .php, place in the closed directory or adjust khehndler for parsing expansion of files with your libraries.


Place files of the data outside of a tree of file system accessible through web (a level below htdocs, or " document root ") or protect directories through .htaccess.


mod_php Start in a mode safe_mode.


Check presence of the forbidden symbols in variables used in functions eval, preg_replace, exec, passthru, system, popen, ".


At use not mod_php, and CGI a variant php.cgi do not forget, that through php.cgi it is possible to get access to any file in directories protected through .htaccess as access in this case is limited only for direct searches, but not for searches through CGI a script php.cgi.



v