Securing PHP Web Applications

Michael J. Ross writes "The owners and the developers of typical Web sites face a quandary, one often unrecognized and unstated: They generally want their sites' contents and functionality to be accessible to everyone on the Internet, yet the more they open those sites, the more vulnerable they can become to attackers of all sorts. In their latest book, Securing PHP Web Applications, Tricia and William Ballad argue that PHP is an inherently insecure language, and they attempt to arm PHP programmers with the knowledge and techniques for making the sites they develop as secure as possible, short of disconnecting them from the Internet." Keep reading for the rest of Michael's review.

Securing PHP Web Applications
author	Tricia Ballad, William Ballad
pages	336
publisher	Addison-Wesley Professional
rating	7/10
reviewer	Michael J. Ross
ISBN	978-0321534347
summary	A wide-ranging guide to PHP security.

The book was published by Addison-Wesley on 26 December 2008, under the ISBN 978-0321534347. The publisher maintains a Web page for the book, where visitors will find a detailed description, the table of contents, and a sample chapter ("Cross-Site Scripting," Chapter 10) only three pages in length — undoubtedly a record. That is essentially all one will find on that Web page. Most technical publishers offer far more information on the Web pages for each one of their books — such as the preface and index online, updates to the book's content (including reported errata, confirmed and otherwise), descriptions of the chapters, information about and pictures of the author(s), feedback from readers and the media, and, perhaps most valuable of all, the sample code used in the given book. (However, that is less of a factor with this particular book, since it does not contain much sample code.) Many such publisher pages even have links to book- or technology-specific forums, where readers can post questions to the authors, and read other people's questions and the replies. Addison-Wesley, like all of the Pearson Education imprints, has through the years proven quite sparing with the supplementary online content, thereby no doubt reducing the number of prospective readers and other traffic to their sites.

Despite its fairly modest length (336 pages) in comparison to the average programming book being published these days, Securing PHP Web Applications tries to cover a sizable number of topics, in five parts, which encompass 17 chapters: general security issues; error handling; system calls; buffer overflows and sanitizing variables; input validation; file access; user authentication; encryption and passwords; sessions and attacks against them; cross-site scripting; securing Apache and MySQL; securing IIS and SQL Server; securing PHP; automated testing; exploit testing; designing a secure application; and hardening an existing application. The book concludes with an epilogue on professional habits to improve the security of one's applications, an appendix describing additional resources, a glossary, and an index. Throughout the book, the authors illustrate key ideas with the use of a sample application — in this case, a Web-based guest book.

The first chapter, which is the only one in the first part of the book, is rather brief, but does prime the reader for all the material that follows, because it explains the inherent security problems of Web applications, and explains the dangers of some of the inadequate measures that naive programmers can take, such as security through obscurity, and the common belief that hackers only go after major Web sites.

Chapter 2 focuses on error handling, but begins with an example of SQL injection, and how effective it can be against the first iteration of the guest book application code. The most potentially confusing part of the discussion is when the authors show an SQL injection attack that perverts an INSERT statement by injecting it with an SQL command to drop a table, and the two commands are separated by a semicolon. But then instead of discussing how multiple SQL statements can be separated by semicolons (well, depending upon one's server settings), they instead discuss separating PHP commands was semicolons, but not SQL commands. Nonetheless, readers will find some good advice on handling unexpected input and using a centralized error-handling mechanism, even if quite simple. Also, the question of whether or not to accept HTML in user input, is briefly addressed. However, the material would be more useful if the authors were to explain specifically when htmlspecialchars() should be used instead of htmlentities(). Also, the option of using standard bulletin board codes (such as [b]bold[/b]) should have been mentioned, if only briefly with references to outside resources. At the bottom of page 22, the bare regex following a !"~" is not valid PHP (or even Perl, which it much more resembles). Lastly, one should not follow the recommendation of providing absolutely no feedback to the user as to what characters were invalid in the text they entered. Hackers gain nothing from being told the obvious, that HTML tags are not allowed; but legitimate users will be incensed when told only that the system didn't understand their input, with no indication as to how to make it acceptable.

In the third chapter, the authors explain the obvious danger of using unsanitized user input within a call to the operating system, such as exec() or system(). The discussion here assumes that you are on a *nux server, not Windows. Two PHP commands are suggested for sanitizing user input, as well as the option and advantages of building a custom API that is limited to only the system calls that should ever be executed within your Web application. On page 33, their test code appears to assume that register_globals has been enabled (so the GET variables in the malicious URL are automatically instantiated and set to the values in the URL), which is disappointing for a book on PHP security, since the dangers inherent in register_globals are so severe that it is now disabled by default, is deprecated in PHP version 5.3.0, and will be completely removed in version 6.

In Chapter 4, readers get an overview of program and data storage on a computer, including buffers, stacks, and heaps, as groundwork for learning what buffer overflows are and how hackers can try to exploit them to execute database and operating system statements, including using your server as a staging point for remote exploits and denial-of-service attacks. The fifth chapter dovetails nicely with the previous one, because it discusses input validation, which is a key component of avoiding boundary condition attacks. The authors explain the importance of validating tainted data, using character length and regular expressions. One simple countermeasure to such attacks that the authors fail to mention, is simply setting a maximum input length ("maxlength") on HTML "input" tag fields. After all, most entry fields on forms are input tags — not textarea tags, for which the maxlength attribute only specifies wrapping. Using maxlength does not prevent manipulation of POST values, but does prevent the less knowledgeable attacker from overflowing input tag fields.

Chapter 6 explains the risks in working with local and remote files, and why it is critical to not allow mischievous users do such tricks as inserting a pathname in a filename, when your code is expecting only a simple filename. Unfortunately, some of the code and claims in this chapter are suspect: On page 70, the value of $path_to_uploaded_files is missing a needed trailing forward slash. The suggested method of processing malicious file paths could be made much more simple and secure with the use of basename(). The file_get_contents() attack shown on page 71 again seems to assume that register_globals is enabled; even if it were enabled, the exploit wouldn't work because $file is always set to a value in the script code. The authors seemingly believe that GET variables can override anything in a script. Nonetheless, their advice about handling user-uploaded files is spot on.

Part 4 of the book focuses on user security. The first of its chapters covers user authentication and authorization — combining the two for their sample application — and starting with usernames and passwords. Access denial due to invalid username or password is supposedly illustrated by Figure 7.2, but all that it illustrates is that a concept that needs no visual depiction is not made more clear by trying to represent it with a confusing image. The authors provide a thorough discussion of authentication purposes and methods, as well as password encryption and strength. Yet they provide no rationale for setting the default values for usernames, passwords, and e-mail addresses to " " simply because the columns are non-nullable. After all, a record would only be added to the table if those values were known. Also, in their validateUsernamePassword() function, they've mistakenly commented out the first "return FALSE;" and they create unused variables $username and $password.

Chapter 8 provides an overview of various types of encryption, particularly for passwords, and some recommendations for PHP-supported algorithms. One blemish in this discussion is the claim that the longer the key for decryption, the longer it will take for your application to load the data (presumably the encrypted text) — which doesn't make sense. Also, their password() and login() functions reference class member names of an object not yet defined or explained. Code out of context like this can be confusing to the reader.

Sessions are a key component of maintaining and securing the identity of an authenticated user as she goes from one page to another in your PHP application. In Chapter 9, the authors describe the three major categories of session attacks: fixation, hijacking, and injection. The next chapter addresses cross-site scripting (XSS), but runs only three pages, and provides no examples of an XSS attack, which would have been helpful for the reader to understand how such an attack could try to compromise his PHP code, and what sort of malicious code to look for in his site. However, references to four open source XSS filtering projects are provided, in case the reader would like to learn more about them.

The fifth part of the book is devoted to securing whichever server environment on which you choose to host your application — Apache and MySQL, or IIS and Microsoft SQL Server, as well as PHP. In the chapter on PHP, the authors present the Zend Core release of PHP, which can save developers time in installing components of the LAMP stack, and also save them from reinventing the wheel, by using the Zend Framework. Other techniques for hardening PHP are discussed. Chapters 14 and 15 explain how to use automated testing and exploit testing, to increase your application's security, using powerful exploit testing tools — free and proprietary.

The sixth and final part of the book contains two chapters, which purportedly discuss the advantages of designing security into a new application right from the start, and how to improve security in an application that has already been built. In the former chapter, the authors stress the importance of balancing no design ("Skip reading Slashdot for one day...") and too much design (i.e., stalling). But the material mostly consists of the basics of designing a Web application, with no new information on security, and concludes with a brief reiteration of security principles detailed in earlier chapters. The latter chapter offers some good advice on having separate development and test environments, in addition to the production environment. The principles expounded in each of the two chapters, do not overlap at all, and yet together they apply equally to new applications under development just as much as they do to finished applications; splitting the principles up does not make sense.

Sadly, the book does not live up to its potential. In general, much of the sample code is sloppy, as exemplified by the instances noted above. The authors and the technical reviewers should have tested the attacks, and thereby found which ones don't work. Even the HTML should not be used by any new Web developer as an example of quality code that adheres to leading standards. In the HTML that they have their sample PHP code generate, the tag attribute values are in single quotes, and not double, which means all of that code would need to be changed to make it compliant with XHTML 1.0. Moreover, by choosing to use single quotes for both the attribute values and the PHP strings, the authors end up having to escape every single attribute value quote mark, which wastes space and looks ridiculous. They repeat this at the end of Chapter 6, but this time with all double quotes. Also, some of the technical decisions are rather odd, such as their setting those default values to spaces in the user table, noted earlier. A few terms are used strangely, as well, such as their statement that IIS's footprint is the number of entry points to it; actually, a Web server software's footprint generally refers to how much memory it consumes. Every chapter ends with a summary, titled "Wrapping It Up," none of which add any value to the book. There are at least three technical errata in the book that should have been caught: spaces in "u + rwx, go + rx" (page 76), and the invalid addresses "www.blog/modsecurity.org" (page 215) and "www.ballad-nonfiction/SecuringPHP/" (page 288; adding ."com" does not fix it).

On the other hand, the book's marketing copy claims that "Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals..." and that is certainly a fair claim. Most of the explanations are straightforward and informative. As a side note, kudos to Addison-Wesley for printing this book on recycled paper; one can only hope that all publishers adopt that policy.

The primary value of Securing PHP Web Applications is that it touches upon security topics that are often glossed over or completely neglected in other PHP security books and articles. This is important, because online miscreants will be searching out every possible chink in your Web site's armor. You should do the same, before they strike — and this book shows how.

Michael J. Ross is a freelance Web developer and writer.

You can purchase Securing PHP Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Use .NET instead

[Anonymous Coward]

PHP has been bloated since 1.5, and the new .NET libraries offer improvements over all of PHP's core services. Why bother trudging through the maze of PHP gotchas, when .NET security is just a wizard away?

Re:

[MightyMartian]

Um, because some of us want to write portable apps that aren't dependent on a single vendor, and don't want to be double-screwed by the forever-not-quite-up-to-date Mono libs. There is a world beyond Microsoft, and besides that, people in glass houses shouldn't throw rocks. I wouldn't exactly go to Microsoft for security.

But I agree that PHP sucks, it's the BASIC of this decade. It's a godawful mess of a language that simply permits idiots too much capacity for getting ill-running programs up with little

Re:

[Gondola]

Anyone can pick up PHP in a few short online lessons and make something productive in an afternoon.

Yes, inexperienced web developers can throw up insecure, poorly-designed sites. Yes, PHP could have more built-in security measures.

However, it's not rocket surgery to create your own standards and libraries to help with security once you have a little knowledge and experience.

Re:

[MightyMartian]

Not really. I can get the source for PHP and do what I like with it. Mono is not in the same category, by any stretch.

Re:

[tepples]

Not really. I can get the source for PHP and do what I like with it. Mono is not in the same category, by any stretch.

What do you mean? Mono is free software [mono-project.com].

Re:

[MightyMartian]

And Mono is, to one extent or another, a reverse-engineered product. You're now not only reliant on Microsoft, but also on the Mono project's ability to get it right. Mono is not .Net, and quite frankly I think there are enough questions about legal encumbrance that I would never use it.

Re:

[Bill, Shooter of Bul]

Its adhering to a standard it does not itself control ( or really have full access to in some cases) . Changing it could cause it work in incompatible behavior compared to .NET Which may cause third party libraries/applications to not work as expected. Its like a moon of a planet, rather than a planet of its own. Its orbit, is therefore more complex than a simple two body problem.

Re:

[Bill, Shooter of Bul]

Its a matter of degrees. Planet -> moon. Mono is a second implementation of a spec. Not the first, which means that there are going to be some discrepancies from the first implementation which may cause compatible issues. Take a look at WINE. Another pseudo reverse engineering of a Microsoft product. IT still isn't compatible with everything that runs on windows, even though its free. So I guess the point is its freeness ( while good) does not mean that the thing its trying to replicate is 100% supported

Re:Use .NET instead

[NotBornYesterday]

Security from a MS wizard? Maybe they could teach Clippy to implement security in development!

Hi there! It looks like you are passing user input to an SQL statement. Would you like to:
A) Sanitize your input before going any further.
B) Sanitize, schmanitize, just code that sucker together. We'll iron out the kinks later.
C) Huh? Why would that be a problem?

That Would Be Too Distracting

[Greyfox]

Clippy is undressing me with his eyes. The sexual harassment lawsuit is ongoing. I don't think I could take security advice from someone like that.

Can you just block by country?

[tjstork]

A lot of bogus traffic comes from countries that don't offer much in commercial value. I'm wondering if you could just configure Apache to just refuse connections to certain countries, or take them to an alternative page. Like, "404, We're sorry Russia, but you have too damned many crooks."

Even still, one wonders if ISPs offer that service as well.

Re:Can you just block by country?

[myVarNamesAreTooLon]

That would work well, people from other countries would NEVER think of spoofing their address.

Re:

[Chandon Seldon]

This is a bad idea.

The only thing it might stop is automated scans, and your application shouldn't have those holes to begin with. It'll have basically no effect on targeted attacks (attackers know about proxies), and it will annoy the hell out of the - unknown number of - visitors you would have from these countries.

Re:Can you just block by country?

[InsertWittyNameHere]

Ok, but that might backfire. Take this hypothetical situation as an example:

Let's say a Nigerian prince recently became the beneficiary of a large sum of money. Now in order to access that money he needs someone to lend him some seed money in order to fund the process to facilitate the release of said money. In return for the help, he promises to reward the lender generously.

If he can't reach you with his urgent message YOU will be the one losing out!

Re:

[neoform]

Get an IP2Location database, there's a bunch of free ones on the net. Then do a lookup based on $_SERVER['REMOTE_ADDR'] at the beginning of all your scripts.. there might be an apache mod for this, but I've never used such a thing.

Re:

[clarkkent09]

A lot of bogus traffic comes from countries that don't offer much in commercial value.

Depends on what you're selling. If your products have global appeal, you might well be losing some customers from Russia. I have setup and maintained credit card processing system for a number of sites and in my experience about 95% of customers are from USA and Europe, the remaining 5% split between Australia, Japan, S. Korea, Russia, Israel, and very occasionally a South American or one of the wealthier Arab countries.

Re:

[shutdown -p now]

A lot of bogus traffic comes from countries that don't offer much in commercial value. I'm wondering if you could just configure Apache to just refuse connections to certain countries, or take them to an alternative page. Like, "404, We're sorry Russia, but you have too damned many crooks."

For one thing, if you have security vulnerabilities, does it really make much difference to you whether they'll be exploited by a guy in Russia, or a guy in USA? Because they will be exploited if they're there.

There's one more thing. Personally, if I ever stumbled onto a web site that blocked me because of my originating country, I would be very annoyed. In fact, I might actually be sufficiently annoyed to waste my precious time finding a proxy, and then thoroughly checking that site for vulnerabilities, si

Re:

[shutdown -p now]

Yeah, there is a difference. In the USA, I can call the cops and they can go after someone in the USA. Even if it were the EU as a source, I could call the cops from that nationality, or American law enforcement could look for extradition, and vice versa. But Russia has obviously no interest in enforcing any sort of law on the internet, unless its someone making fun of Putin, in which case, they will be shot.

I can assure you that it's nowhere near as bad as that. I've made fun of Putin on many occasions, and not only I wasn't shot, but they've actually let me left the country.

You only get shot if you start making fun of Putin on TV in prime time, or something like that. Even then they won't shoot you - why? they'll just grab you for tax evasion, all nice and civilized.

Anyway, if you're really willing to block entire countries, consider who are you aiding in case of Russia/China/Iran there - if blocking becomes

what no AJAX

[ianare]

AJAX is probably the biggest security hole, even in a well designed application. Be especially careful when the AJAX does a DB update/insert - sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

I find it very disappointing that this book doesn't cover that. Even if not an in-depth analysis, which could well require its own volume, at least a chapter on basic concepts.

Because otherwise PHP security is actually pretty simple. There's only 3 major rules :
Never trust anything from outside : filter/validate all user input.
Don't display error messages on production servers.
Wrap system binaries in scripts rather than executing them directly.

Re:what no AJAX

[dedazo]

Be especially careful when the AJAX does a DB update/insert - sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

Well yes, but usually you're doing cookie-based authentication, which flows with out of band requests as well. So it's no different than a normal POST operation. Ajax is not particularly less or more secure, unless you have an insecure app to begin with.

Re:

[fractalus]

Cookies + no XSRF protection = exploit.

Re:

[Jaime2]

A lot of people have been doing security in the presentation layer for years and some of them don't realize that AJAX gives clients an easy way to bypass the presentation layer. It doesn't matter how well designed the authentication system is if the attacker is a valid user.

Re:what no AJAX

[truthsearch]

I don't understand your point. From the server's perspective an AJAX request is identical to any other. So how does securing your server change if the request is AJAX?

Re:

[SatanicPuppy]

The number of people who don't know how to lock down a database astounds me. Whitelist IPs, use low privilege users, never re-use users between applications.

If you screw up your injection scrubbing, and someone sends in a "Drop tables" injection on a user who doesn't have those permissions, there's no issue. Likewise, lock the user down so it only has access to specific data...Never give a user the ability to touch a system table if they're used for a public app.

I don't allow deletions most times, I just ad

Re:

[MightyMartian]

This is a pretty damned good component, and goes to show you that security should be thought about like layers of onion. Due diligence at every layer means that even if worst comes to worst (say, there's a serious flaw in the interpreter itself), that there's something below that that can catch, or at least minimize the extent of the breach. Having your app access a user with privileges like "drop table" is nuts, no matter whether you think you have ironclad security on the app itself.

Re:

[ianare]

Securing the server doesn't change, and if you follow proper security guidelines you will be generally OK. It's just that AJAX does add complexity, and any time complexity increases, so do potential exploits.

For example some devs will forget that the return needs to be tested not to contain potentially dangerous information ... things like DB structures or users, info only visible to certain users, etc. Quite often this may be debug info that needs to be turned off on production, but because it's hidden und

Re:

[Tom]

sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

And if the obscurity of your URL and parameters is what you call "security", then you probably shouldn't be writing any apps, and PHP, Ajax or whatever is not where your problem is.

Can someone explain

[MyLongNickName]

Why securing a PHP application would be any different than securing an application written in any other language. I mean is PHP really the only language where you need to sanitize database inputs? Or is this just another principles of security where they inserted code snippets from [insert your language here].

Re:

[seebs]

Probably more a question of "since you're probably writing in PHP, here's some security stuff". PHP's not my favorite language for security-related things; it doesn't necessarily do much to encourage or help with sanity checks.

Re:

[nxtw]

I mean is PHP really the only language where you need to sanitize database inputs?

PHP and classic ASP are the only languages I've used that did not provide a convenient method for parameterized queries. (I no longer use either - classic ASP is dead and I avoid PHP.)

In Java or .NET, it's much easier to use paramaterized queries & has been for quite some time - it is common practice.

Get Chris Shiflett's book instead

[MattW]

What qualifies these authors to even write on these topics? Do they engage the community of PHP developers at all? Do they have the exposure to enough environments and circumstances and code to be effective authors on the topic?

Chris Shiflett is the CTO of OmniTI, arguably one of the biggest PHP development braintrusts around. Several of the Schlossnagle family work there (and it used to include George, who wrote the awesome Advanced PHP Programming. Chris wrote Essential PHP Security, and also maintains a blog that has a lot of good stuff.

If I was buying one, I'd buy Chris's book.

Re:Get Chris Shiflett's book instead

[Dirtside]

Since you're already at +5, I'll just concur with your post. I've met Shiflett, and he knows what the hell he's talking about.

Also, his book is about 1/3 the length of this one, and from what I can tell, contains more or less all the same info ;)

Re:Get Chris Shiflett's book instead

[wrballad]

I am one of the authors of this book. We had several gigs hardening PHP applications for developers who where self taught, this is what qualified us to write the book (and yes we were engaged in that PHP community). I agree with your main point, if you are a slashdot reader, buy Shifletts book, its probably the best on this topic. My book was not meant for you. If you know someone who is not a hard-core techie writing a PHP website, please point them at mine...if they can comprehend what we wrote and are hungry for more, then point them at Mr Shiflett. Honestly most security books would go over our intended audience's head, we tried to write this in a straight forward manner that a non-techie could easily grasp. This did lead the book to simplify some ares. We felt that it was better to at least try to have some security then none at all. If you look at the book you may notice that we explicitly list Chris' book as a invaluable resource for further study.

Re:

[trawg]

My mod points just vanished today, but if anyone else has some this is prolly worth modding up to clarify the differences between the books.

No language is secure

[mlwmohawk]

PHP is not inherently more or less secure. That's just marketing language to get you to buy the book.

All public access to systems via any language creates potential security holes, ESPECIALLY when terms are accepted from users and used in conjunction with database queries.

One of the biggest risks, and we are ALL GUILTY, is the use of things like printf to construct a query line. Technically, you should prepare a statement and then execute the statement using the parameters as terms. Not only is this faster,

Re:

[Qzukk]

is the use of things like printf to construct a query line.

That's just dumb. If you're going to go through the trouble of getting everything in just the right order for printf to fill in those %s placeholders, what the heck are you doing using printf?

I can understand
$sql="SELECT * FROM foo WHERE day<='$maxdate'";
because then at least you have the excuse of adding on a
if ($mindate) { $sql.=" AND day>='$mindate'"; }
which back in the bad old days of using "?" as placeholders in a prepared query would ha

Database Side

[Tablizer]

One technique for security is to limit the visible data to only what the web-app's DB login can access. For example, limit the app's login user-name to pre-defined read-only views, and stored procedures for the write stuff. Thus, if the hacker is able to inject her way into the SQL interpreter, she can only read and change what has been pre-allowed at the maximum, which is often only what the app allowed anyhow. It's a bit tedious, but that's the cost of security.

Such a load of crap

[Secret Rabbit]

I'm *really* getting sick of people saying that programming language X is inherently insecure. It's total bullshit. EVERY language has its pros and cons and unless the INTERPRETER has an issue, then it's NOT the languages fault. And since EVERY INTERPRETER has had flaws in it, that can_not_ be the criteria for whether a *language* is secure or not.

In other words, STOP BLAMING THE LANGUAGE FOR THE FOLLY OF THE PROGRAMMER. Just because PHP has been used by some idiots does _not_ make it an "inherently ins

Re:

[TheSunborn]

The problem with php is that they made the insecure feature first, and told people to use it. Then they found out it was insecure and fixed it by making an other safer way to do the same thing.

Examples include the entire way mysql is accessed. First they made mysql_query which is very very difficult to make secure, because it require the developer to manually escape all
input that need to be escaped. (Not to talk about the fuckup with both having a mysql_escape_string() and then finding out it's not good eno

backups and Vernam algorythm

[Max_W]

I would add as a security measure to be able to reinstall a web application from a recent backup immediately. Any place, any time, on a very short notice. Just have the recent backup ready to upload. Or even several of them, if one for some reason is corrupted.

I experienced an SQL attack which destroyed one of MySQL tables. I reinstalled it from backup and corrected the breach a month later. I mean a hacker most probably will not be watching your website day and night and attack it as soon as it is back

Re:God Hates Fags!

[Leafheart]

Linux Torvalds (snip.) Linux Torvalds (snip.) Linux Torvalds (snip.) 'Linux Torvalds?' (snip.) Linux Torvalds (snip.) Linux Torvalds's

Who is this Linux Torvalds you keep talking about? Is that a new distro I don't know?

Re:

[Savage-Rabbit]

Who is this Linux Torvalds you keep talking about? Is that a new distro I don't know?

Linus Torwalds' firstborn son?

Re:

[thetoadwarrior]

Purely replying to a troll does not automatically mean you've been trolled.

Re:

[Goaway]

No, but taking blatantly obvious bait like "Linux Torvalds" sure does.

Re:

[Atriqus]

Wow, that was one hell of a typo. It's spelled "First Post."

Re:Just don't

[FredFredrickson]

Things like this always surprise me when I hear them.

Making a secure PHP web app is not that hard.

-Make sure to keep globals off (or initialize all variables before using them.
-Sanitize all inputs before getting to the database.
-Always sanitize user-inputted data before displaying it on screen (strip_tags)
-Check permissions on every page. (Make sure I can't change id=17 to id=18 and see things I shouldn't.)
And so on...

Honestly, it's not some mysterious voodoo, it's very basic procedures (like these) that all programmers should get in the habit of doing, no matter what language you use.

Re:

[Zero__Kelvin]

I know what you mean. It's like heart surgery. All you do is:

1. Cut a guy open
2. Put him on bypass
3. Do a little tweaking
4. Take him off bypass
5. Sew 'em back up

I'm not really sure why people think it is so hard!

The fact that you think it is easy means you are unable to do it properly and don't know that you don't know.

Re:Just don't

[FredFredrickson]

As a programmer, I probably couldn't do what a heart surgeon would do. But as a programmer, I can do what programmers do. Part of my job is security. Some times its tedious, sometimes I miss things. But it's not magic or voodoo. And I believe the heart surgeon doesn't beleve what he does is voodoo either.

As a programmer

[NotQuiteReal]

If I had to, under certain circumstances, I would take a stab at doing what a heart surgeon would do. If it didn't go right, then I might consider reading up on the procedure.

However, if the patient survives long enough to be released, I am confident that I could simply document any lingering anomalies he might suffer as a feature, not malpractice.

Re:Just don't

[Ironica]

Let me guess... Zero_Kelvin makes his living as a software security expert. And, if ordinary programmers were to think that they could (*gasp*) write secure code all by themselves, he'd be out of a job.

Website software security is important, and not blatantly easy... but I don't know that it's soooo specialized that it needs its own entire profession.

Rather than comparing software security experts to heart surgeons, maybe we could compare them to professional babyproofers. They would have you believe that, until they get done, your home is a deathtrap to your munchkin, and there's just no way you could POSSIBLY have accounted for all the hidden dangers. Unless, of course, you spent a little time on the web, finding out about common causes of injury and death in home accidents for children in your offspring's age group, and maybe oh, I dunno, paid attention to your child to see what they are likely to hurt themselves doing.

It's not that they're useless, but they're doing something for you that, with some time and effort, you can do yourself. It just depends on whether you have more money to hire another body, or more resources on staff that can be developed to do things right in the first place.

Re:

[Ironica]

I actually specifically said it was NOT easy (well, not "blatantly easy" anyway). But heck, programming (well) is not easy. Almost anyone can write code that does something, but it takes thought, planning, skill, and training to write code that does something efficiently, securely, and with a well-designed interface. Are you also of the opinion that "programmers" should not be entrusted with interface design? A specialist should come in and tell them how the website shall work from the point of view of

Re:Just don't

[mikael_j]

The fact that you think it is easy means you are unable to do it properly and don't know that you don't know.

Or it's possible that, you know, he's an experienced developer who's got enough experience with PHP that to him it really is easy.

/Mikael

Re:

[Anubis350]

If that were true, he would have gone through all of the effort to get to the point where it was easy for him , and would know full well that it wasn't easy to get there at all.

While the OP may have had a couple flaws in the analogy (and hey, no analogy is perfect), it does account for this. I know a *lot* of doctors from most common branches of medicine, and the amount of times you hear the phrase "it was a routine..." when they talk about their day is impressive, just as I would have a routine day in research.

It may not be easy to get to that point, but that doesnt mean every single thing is prefaced with "So, I took 15 years to learn this, but..."

The OP was right, the procedure

Re:

[thetoadwarrior]

A good programmer writes secure code (otherwise what's the point of the code?) so if you need to hire a security specialist then something has gone wrong.

Sure someone should test it once it's complete but that doesn't mean the programmer doesn't know what he's doing in regards to security.

Re:

[Knara]

After reading the last 3-4 posts you put up in this thread, the only thing I've come away with is:

Man... it sure must be hard to walk around with that large of a chip on your shoulder.

Re:

[billcopc]

Heart surgery, auto repair, cooking... once you learn how it works, it's easy.

What these things are not is OBVIOUS. An untrained goon will have a hard time figuring out heart surgery without some kind of training. That same goon will also not have the slightest clue how to fix an ailing piece of shit car. Why would we somehow magically believe the goon is capable of writing secure PHP code ?

None of these jobs are unnecessarily complicated, once you learn what the hell you're supposed to be doing. The p

Re:

[Phil John]

What about protecting against CSRF?

That one's fun because even if you use tokens in forms, if you have even 1 XSS vulnerability any countermeasures are rendered useless.

Re:

[FredFredrickson]

My list wasn't exhaustive, but you can eliminate XSS by scrubbing all your inputs. If the only thing a user can post is plaintext and some bbcode, that's all they'll post.

Another cool one that I'm surprised Myspace hasn't used:
A great way to kill phishers is using the out-bound warning page. Re-code all outbound hyperlinks to a "Warning, this is no longer myspace" page, then allow them to click the url.

Re:

[aftk2]

Myspace does that.

Re:

[merreborn]

Another cool one that I'm surprised Myspace hasn't used:
A great way to kill phishers is using the out-bound warning page. Re-code all outbound hyperlinks to a "Warning, this is no longer myspace" page, then allow them to click the url.

Yeah, that's a great way to make your users more aware of potential phishing attempts, except for the fact it's fucking terrible from a usability perspective.

Sure, you might help a few mouthbreathers realize they're being phished, but frankly, they aren't going to read your wa

Re:

[thetoadwarrior]

His idea is sound and in use on numerous sites in different ways. The idea is to warn the user when they're leaving the site. That doesn't necessarily require a extra page but if you do it then you can have it automatically move onto the link after a short period and it's still only make you click once.

No he doesn't

[dblackshell]

For CSRF to work the attacker has to be able to inject his own content into your site that a victim can then come by and download.

I don't know what you are talking about, but it seems partially XSS combined with some malware...

CSRF is something else...

http://slashdot.org/my/logout [slashdot.org] - this is a CSRF link

Re:

[encoderer]

That's a good illustration: You just injected content that I downloaded. In your case, it was the link.

Sure, there are a lot of apps that have some sort of facility for this. But there are just as many that don't.

Re:

[LurkerXXX]

"Sanitize all inputs before getting to the database."

NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things)
before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.

If you use a well parametrized stored procedures/prepared statements you don't have to worry about any idiots trying to do sql injection, nor how you

Re:

[kuzb]

NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things) before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.

More important than sanitization is actual validation. Is it supposed to be an integer? Check that first. If the input is no good, reject the whole thing before it gets in to your query in any way,

Re:

[SgtChaireBourne]

"Sanitize all inputs before getting to the database."

NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things)
before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.

If you use a well parametrized stored procedures/prepared statements you don't have to worry about any idiots trying to do sql injection, nor how you or someone else may have botched your sanitizer.

That is correct, but PHP programming is taught generally as the blind leading the blind. I usually say PHP will be fine for those that are already quite good at C. The sanitizers have often been very disappointing when looking under the hood. Quite often there is no real parsing going on, simply global search and replace which can be gamed.

Use of parametrized stored procedures and prepared statements needs to be part of the introduction to databases with any language. The APIs are there, they're docum

Re:

[thetoadwarrior]

It's always best to write your own sanitizers than to rely on what PHP provides. PHP, in general, is a bit of a shit language in the sense it feels like a hobby project. So, in my opinion, you should always write your own sanitizers.

Re:

[kuzb]

I completely agree. In a lot of cases, it's not the language which is the problem. It's the programmer. They run out and learn PHP from some outdated tutorial that had bad practices without understanding their implications. Too many people spend a week with the language and then think they are somehow experts. PHP can be made as secure as any other language out there. The trick is to actually read the manual, and learn the pitfalls.

Re:

[thetoadwarrior]

That's web development though. In a lo of instances there are programmers that are interested in making something but not making it properly so they haven't learned the finer points of programming because that'll take time and get in the way of making the next great web 2.0 app.

Re:

[Otto]

It's a conundrum indeed. Trying to convince web hosts to support PHP 5 has been an uphill battle for years and years, and major software like WordPress won't move past PHP 4 compatibility because some web hosts still don't support it.

We really need to get rid of PHP 4 everywhere. It would help a lot with this sort of thing.

Re:

[Lord Ender]

And yet I spend lots of time cleaning up after developers who think they understand security; they even list their security skills on their resumes. They just keep getting it wrong.

Re:

[FredFredrickson]

No doubt, not everybody lives up to their own hype. Some people aren't nearly as qualified as they think they are. I'm sure neither you nor I are exempt from this. It's easier to find something wrong with somebody's code, than to code it correctly in the first place. It's nice to have a second pair of eyes for that reason.

That being said, it's still not rocket science, or magic. It's just tedious, and requires forethought. Considering all the angles is important. When you get into the habit, it becomes sec

Re:

[Count Fenring]

I'm mostly with you, except that PHP does have a fantastic amount of brain damage. It is actually a problem that there are multiple escaping and sanitization functions, all of which look like the right thing, but most of which are dangerously flawed.

Sure, it's the security-conscious programmer's job to know the difference; but it's still dumb as hell of the language designers to add an unneeded potential gotcha for no good reason.

Re:

[thetoadwarrior]

I've taken courses run by security firms and take a general interest in security so yes I would feel confident enough to put it on my CV knowing I don't get it wrong.

Re:

[Goaway]

Always sanitize user-inputted data before displaying it on screen (strip_tags)

Except strip_tags will not save you in all cases. As a matter of fact, it's probably better to never use that function.

This is why PHP is viewed as insecure - it puts in tons of these pitfalls, and makes it LOOK like you're doing the right thing, while you are actually happily shooting yourself in the foot.

Re:Just don't

[Anonymous Coward]

A developer who read a book on security will get security wrong.

So I guess we have to tell Bruce Schneier that his "Secure Programming for Linux and Unix HOWTO" book is simply useless.

Re:Just don't

[PotatoFarmer]

So I guess we have to tell Bruce Schneier that his "Secure Programming for Linux and Unix HOWTO" book is simply useless.

We? Who is this 'we'? You tell him, I'm not going anywhere near Bruce while you're in the process of making him angry.

Oblig. link to Schneier Facts [geekz.co.uk]

Bruce Schneier != David A. Wheeler

[dwheeler]

Thanks for the plug for Secure Programming for Linux and Unix HOWTO [dwheeler.com]. But I wrote it, not Bruce Schneier. Schneier has written other books, such as "Applied Cryptography" and "Schneier on Security".

Re:

[Joe U]

Or at least take the time to validate all your input. Geez, if I had $1 for every time someone wrote an app that didn't properly validate.

Re:

[Zero__Kelvin]

I'd rather have a dollar for everyone who said: " all you have to do is validate your input !" when they had no idea to do so properly themselves. I am quite certain that 90% of the people saying that make an attempt at validating that they think is successful, when in fact the validation logic is thoroughly flawed. You might not be one of them; I'm just making a point.

Re:

[Joe U]

No, they think I'm insane when I design validation systems. I'm also big on using allow/deny all type filters.

Client validation. (Just for kicks, it potentially stops a roundtrip)
App Server validation. (I don't trust my users)
DB validation. (I don't trust my app coders)

Re:

[cbiltcliffe]

.....Geez, if I had $1 for every time someone wrote an app that didn't properly validate.

....then you'd be almost as rich as me, if I had $1 for every time someone wrote a web page that didn't properly validate.

And I'd be almost as rich as random_grammar_nazi, if they had $1 for every time someone wrote a sentence that didn't properly validate.

There's a running theme here, in case you hadn't noticed. People, as a general rule, suck at following rules that don't have obvious, immediate consequences for breaking them.

Re:

[Anonymous Coward]

Or at least take the time to validate all your input. Geez, if I had $1 for every time someone wrote an app that didn't properly validate.

Uh oh, I forgot to validate $1 !

Re:

[ericspinder]

A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.

And specialists come from where? Are these individuals born with an innate knowledge of PHP security, or are these skills passed from father to son, mentor to apprentice? No, they get their knowledge from books, lectures, and websites; they read and learn (hopefully). I'd say the the best are likely senior developers who've developed a specialty.

Acting like security isn't in the realm of the developer is a particularly dangerous statement, and I really do hope that it's just a joke. As it's one of t

Re:

[merreborn]

A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.

Any developer who doesn't qualify as a "security specialist" by your definition has no business writing code in the first place.

Write secure code, and draft secure designs from the beginning. If you're a developer, security is your job, not an afterthought for someone else to layer on after the fact.

Re:

[thetoadwarrior]

I take it you're an out of work security specialist looking to promote yourself, correct?

Re:

[Lord Ender]

No, I have a job. And forensics to clean up after the hack bills at a much higher rate than the preventative measures do, actually.

Re:

[TheSpoom]

In other words, "Give me money, there's no other way! You people can't learn my craft, it's just too complicated! Only I can secure your applications, stupid developers!"

Re:tl;dr;

[ianare]

Not a problem. It's in my own word though.

PHPisaninherentlyinsecurelanguagesousecaution

Re:

[Zwicky]

Could some summarize the review using one word or less?

I'll be honest, I'm struggling to find just the right word. When I do I'll be sure to let you know. Nonetheless until then I can meet the 'or less' requirement. Here's my summary:

!

Hope this helps.

Re:

[cbiltcliffe]

Are you for real?

No. Otherwise they wouldn't have posted AC. .....just like you.

Re:

[ianare]

It's true that using frameworks makes things a lot easier, especially for filtering and validation. But a good understanding of why certain things have to be done is more important in the long run. I've seen the best frameworks destroyed by programmers bypassing major security precautions out of laziness or for "performance tuning".

"inherently insecure" is a bad phrase

[MattW]

One might be charitable and infer they meant that PHP is inherently insecure, as in - if you don't take steps to properly write secure code, it won't be secure. But is that true of any language used in web programming? You're providing a service often trusted with secure data to a bunch of effectively anonymous clients.

PHP has a pedigree which includes a lot of poor design decisions about security, but it certainly is very much possible to write secure PHP code, and lots of places do it.

Re:inherently insecure?

[benjymouse]

1. Culture. For a long time the mysqli library did not allow the use of parameterized queries leading to the unhealthy culture of concatenating or interpolating sql queries and even "require" arguments.
2. Easy entry with little architectural guidance which leads beginners down the dangerous paths.
3. Poor design decisions such as (just examples)
   1. the ability to "require" scripts from foreign servers.
   2. stupid type coercion such as 1 == "1more" is actually true.
   3. super-weak type system, meaning that you can never trust what you expect to be an integer to be just that.
   4. stupid attempts to accomodate developers and save LOCs by introducing "magic quotes", superglobals and the ability to "automagically" map query parameters to global variables.
4. The fact that PHP is merely a glue layer, relying on binary extensions written in C with the usual buffer overflows, memory corruptions etc.
5. etc etc etc

Re:

[Terrasque]

You forgot the (IMO) most important one:

6. Much of the example code starters learn from looks like it's been coded by a retarded monkey who's just raided the LSD factory.

Re:

[TheSpoom]

Culture. For a long time the mysqli library did not allow the use of parameterized queries leading to the unhealthy culture of concatenating or interpolating sql queries and even "require" arguments.

And now it does. And there were other libraries that supported parameterized queries prior to mysqli supporting it. I agree that there are beginners who give the rest of us a bad name by not coding for security to begin with, but to say that that makes the language itself insecure is an unfounded assertion.

Easy entry with little architectural guidance which leads beginners down the dangerous paths.

The fact that the language is easy makes it insecure? So I guess we should all be programming in assembly to be completely secure? Oh, wait, that's stupid, since it's just as easy to have a buffer ove

Re:

[nxtw]

You could say the same about ASP.NET, yet it's used by huge enterprises.

Have you used .NET or Java? Quite a bit of code runs in the CLR/JVM, incluing things like text processing / XML libraries and many database drivers. For code only using .NET or Java (no native calls), buffer overflows are simply nonexistent, unless there's a problem in the CLR/JVM. Many applications only use native calls for network communication, through the (very frequently used) system libraries.

Re:

[TheSpoom]

...unless there's a problem in the CLR/JVM.

Which is effectively similar to the claim that something could be wrong in either the PHP binary or an extension. Since PHP doesn't use pointers, buffer overflows in PHP code itself is likewise practically non-existent.

Re:

[TheSpoom]

I <3 CakePHP (though I like Auth as opposed to ACL).

Re:

[Otto]

+1 for use of frameworks.

I'm not big on CakePHP though. Strikes me as confusing. I like the more minimalist Zend Framework for my day to day stuff.