The first thing that must be realized about web application security is that external data should not be trusted. External data includes any data that is not entered directly by the programmer into the PHP code. Any data from any other source (such as GET variables, form POST, databases, configuration files, session variables, or cookies) cannot be trusted until steps are taken to ensure security.
For example, the following data elements can be considered safe because they are set in PHP.
PHP Security Protection Checklist 1. Safe and flawless code
<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?php </span></span></li><li><span>$</span><span class="attribute">myUsername</span><span> = ‘tmyer’; </span></li><li class="alt"><span>$</span><span class="attribute-value">array</span><span class="attribute">arrayUsers</span><span> = array<br />(’tmyer’, ‘tom’, ‘tommy’); </span></li><li><span>define(”GREETING”, ‘hello<br /> there’ . $myUsername); </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>
However, the following data elements are all flawed.
PHP Security Protection Checklist 2. Unsafe and Flawed Code
<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?php </span></span></li><li><span>$</span><span class="attribute">myUsername</span><span> = $_POST[’username’]; <br />//tainted! </span></li><li class="alt"><span>$</span><span class="attribute-value">array</span><span class="attribute">arrayUsers</span><span> = array($my<br />Username, ‘tom’, ‘tommy’); <br />//tainted! </span></li><li><span>define(”GREETING”, ‘hello there’ <br />. $myUsername); //tainted! </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>
Why is the first variable $myUsername defective? of? Because it comes directly from the form POST. Users can enter any string into this input field, including malicious commands to clean files or run previously uploaded files.
You may ask, "Can't you avoid this danger by using a client-side (Javascrīpt) form validation script that only accepts the letters A-Z?" Yes, this is always a beneficial step, but as As we'll see later, anyone can download any form to their own machine, modify it, and resubmit whatever they need.
The solution is simple: the sanitization code must be run on $_POST[’username’]. If you don't do this, you risk polluting these objects any other time you use $myUsername (such as in an array or constant).
A simple way to sanitize user input is to use regular expressions to process it. In this example, only letters are expected to be accepted. It might also be a good idea to limit the string to a specific number of characters, or require all letters to be lowercase.
PHP Security Protection Checklist 3. Make user input safe
<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ?php </span></span></li><li><span>$</span><span class="attribute">myUsername</span><span> = </span><span class="attribute-value">cleanInput</span><span>($_<br />POST[’username’]); //clean! </span></li><li class="alt"><span>$</span><span class="attribute-value">array</span><span class="attribute">arrayUsers</span><span> = array(<br />$myUsername, ‘tom’, ‘tommy’); //clean! </span></li><li><span>define(”GREETING”, ‘hello <br />there’ . $myUsername); //clean! </span></li><li class="alt"><span>function cleanInput($input){ </span></li><li><span>$</span><span class="attribute">clean</span><span> = </span><span class="attribute-value">strtolower</span><span>($input); </span></li><li class="alt"><span>$</span><span class="attribute">clean</span><span> = </span><span class="attribute-value">preg_replace</span><span>(”/[^a-z]<br />/”, “”, $clean); </span></li><li><span>$</span><span class="attribute">clean</span><span> = </span><span class="attribute-value">substr</span><span>($clean,0,12); </span></li><li class="alt"><span>return $clean; </span></li><li><span>} </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>
The above is an explanation of relevant techniques for PHP security protection.