Dismiss Notice
You are browsing this site as a guest. It takes 2 minutes to CREATE AN ACCOUNT and less than 1 minute to LOGIN

How to Secure Your PHP Script (PHP SECURITY)

Discussion in 'Tech, Gadgets & Science Forum' started by Given Edward, Nov 7, 2011.

  1. Given Edward

    Given Edward Verified User

    #1
    Nov 7, 2011
    Joined: Jan 11, 2011
    Messages: 852
    Likes Received: 2
    Trophy Points: 35
    Personally sijui sana PHP. In fact, I'm completely a beginner. But the few that I learn I share with you guys here at JF so that we can develop our skills and build a better tomorrow.

    Unapotoa service inayotumia internet,inabidi suala la security likae akilini mwako wakati unachapa codes zako. Inaweza ikaonekana kama PHP scripts nyingi haziko sensitive na masuala ya security; hii inatokana na namba kubwa ya inexperienced programmers working in the language. Hata hivyo, there is no reason for you to have an inconsistent security policy based on a rough guess at your code's significance. The moment you put anything financially interesting on your server, it becomes likely that someone will try to casually hack it. Create a forum program or any sort of shopping cart, and the probability of attack rises to a dead certainty.
    Here are a few general security guidelines;-

    Don't trust forms/Usiziamini forms

    Kuhack forms forms ni trivial. Ndio, kwa kutumia silly JavaScript trick, you may be able to limit your form to allow only the numbers 1 through 5 in a rating field. Lakini pale mtu atakapozima JavaScript iwe offf kwenye browser yao, au akipost custom form data, client-side validation yako inayeyuka kama bafafu kwenye frampeni

    Users wana interact na scripts zako scripts primarily kupitia form parameters, na hivyo wao ndio the biggest security risk. Tunajifunza nini? Siku zote validate data ambazo zinapitia any PHP script kwenye PHP script.

    Don't trust users/Usiwaamini watumiaji wako
    Assume that every piece of data your website gathers is laden with harmful code. Sanitize every piece, even if you're positive that nobody would ever try to attack your site. Paranoia pays off.

    Turn off global variables
    Asikwambie mtu,the biggest security hole you can have is having the register_globals configuration parameter enabled. Mercifully, it's turned off by default in PHP 4.2 and later.
    Novice programmers wanaonyesha registered globals kama ni ya ulazima, lakini hawagundui how dangerous this setting is. Server yenye global variables enabled automatically assigns global variables to any form parameters. Kwa idea kidogo ya jinsi hii inavyofanya kazi na kwanini ni hatari , tuangalie mfano huu:-

    Tuseme una script inaitwa process.php ambayo inaingiza form data kwenye user database yako. Form original inaonekana hivi:

    PHP:
    <input name="username" type="text" size="15" maxlength="64">  
    Unapo run process.php, PHPyenye registered globals enabled inaweka values za hii parameter kwenye $username variable. This saves some typing over accessing them through $_POST['username'] au $_GET['username']. Kwa bahati mbaya, hii pia inaacha uwazi kwa security problems , because PHP sets a variable for any value sent to the script via a GET or POST parameter, and that is a big problem if you didn't explicitly initialize the variable and you don't want someone to manipulate it.
    Angalia hii script chini, kw mfano-kama $authorized variable ni true, itaonyesha confidential data to the user. Katika hali ya kawaida, the $authorized variable inakuwa set to true only kama user amekuwa properly authenticated kupitia the hypothetical authenticated_user() function. Lakini kama you have register_globals active, Yoyote anaweza ku send a GET parameter such as authorized=1 ku override this:

    PHP:
     <?php
    // Define $authorized = true only if user is authenticated
    if (authenticated_user()) {
        
    $authorized true;
    }
    ?>  
    Recommended Security Configuration Options

    Kuna several PHP configuration settings that affect security features. Here are the ones that I use for production servers:

    • register_globals set to off.
    • safe_mode set to off. This parameter doesn't really make anything safe.
    • error_reporting set to off. This is visible error reporting that sends a message to the user's browser if something goes wrong. For production servers, use error logging instead . Development servers can enable error logging as long as they're behind a firewall.
    • Disable these functions: system(), exec(), passthru(), shell_exec(), proc_open(), and popen().
    • open_basedir set for both the /tmp directory (so that session information can be stored) and the web root so that scripts cannot access files outside a selected area.
    • expose_php set to off. This feature adds a PHP signature that includes the version number to the Apache headers. Why would you want to do that?
    • allow_url_fopen set to off. This isn't strictly necessary if you're careful about how you access files in your code-that is, you validate all input parameters.
    • allow_url_include set to off. There's really no sane reason for anyone to want to access include files via HTTP.
    In general, kama ukikuta kuna code inatakakutumia these features, usiiamini. Be especially careful of anything that wants to use a function such as system,it's almost certainly flawed.

    Ahsanteni.
     
  2. Vato

    Vato JF-Expert Member

    #2
    Nov 7, 2011
    Joined: Feb 15, 2009
    Messages: 230
    Likes Received: 1
    Trophy Points: 33
    Umetisha masta, kwani PHP ni kitu gani? Kwa layman language?
     
  3. Given Edward

    Given Edward Verified User

    #3
    Nov 7, 2011
    Joined: Jan 11, 2011
    Messages: 852
    Likes Received: 2
    Trophy Points: 35
    SQL Injection Attacks

    Kwa sababu queries ambazo PHP inapitisha kwendakwenye MySQL databases zinaandikwa kwenye powerful SQL programming language, unaingia kwenye risk ya mtu anayejaribu SQL injection attack kwa kutumia MySQL kwenye web query parameters. By inserting malicious SQL code fragments into form parameters, an attacker attempts to break into (or disable) your server.

    Tuseme una form parameter that you eventually place into a variable named $product, and you create some SQL like this:

    Kama hiyo parameter ilikuja straight from the form,tumia database-specific escapes pamoja na PHP's native functions, kama hii:

    Usipofanya hivyo, someone might just decide to throw this fragment into the form parameter:

    Then matokeo ya $sql ni:


    Kwa sababu semicolon ni MySQL's statement delimiter, database inaprocess hizi statement tatu:

    Well, there goes your table.

    Kumbuka kwamba hii syntax haitaweza kufanya kazi na PHP na MySQL,kwa sababu the mysql_query() function allows just one statement to be processed per request. Hata hivyo, a subquery will still work.

    Kuzuia SQL injection attacks, fanya vitu viwili:

    Siku zote validate all parameters. Kwa mfano, if something needs to be a number, make sure that it's a number.

    Siku zote tumia mysql_real_escape_string() function kwenye data ili ku-escape any quotes or double quotes in your data.


    --------------------------------------------------------------------------------
    Kumbuka: Ku-escape any form data automatically , unaweza kuturn on Magic Quotes.
    --------------------------------------------------------------------------------

    Baadhi ya MySQL damage zinaweza kuepukika kwa kurestrict your MySQL user privileges. MySQL account yoyote inaweza kuwa restricted to only do certain kinds of queries on selected tables. Kwa mfano, unaweza ku-create a MySQL user who can select rows but nothing else. Hata hivyo, hii sio useful sana kwa dynamic data, na, zaidi ya hapo, kama una sensitive customer information,inaweza ikawa possible kwa mtu kupata access to some data ambazo haukutaka ziwe available. Kwa mfano, a user accessing account data could try to inject some code that accesses another account number instead of the one assigned to the current session.
     
  4. Mtazamaji

    Mtazamaji JF-Expert Member

    #4
    Nov 7, 2011
    Joined: Feb 29, 2008
    Messages: 5,972
    Likes Received: 27
    Trophy Points: 0
    But how do u know you website is secure or atlest not too weak for simple attack?

    Here is the answer i got afater researching on the net adn did some practical test

    Use any web vulnerability scanner application.Few months ago i did practical research by using Acutenix web vulnerability scanner. I Found that In Tanzania
    • BOT is the high profile Tanzania institution with the most unsecure and vulnerable Website. Ni maajabu ukizigatia mshiko na vichwa tunavyoambiwa viko pale
    • Most high profile institutions are using outdated therefore less secure version CMS Script like Joomla. Wengi bado wanatumia version 5. y joomla.
    So its through toosl like that after a hacker indentify a weakness s(he) can use a ready made tool Like SQL injector to to attack and expose a vulnenerable site. Firefox ina some addons kama SQL inject me na sq injection zinazoweza kutumika pia kucheki mapugufu kwenye tovuti.

    NB
    Usitumie knowldge kufanya uharibifu. Jifunze knowldge ya uharibifuu ili kuwajua waharibifu na mbinu zao. teh teh teh. Use those tool t learn ethical hackinh and How to do Information Systems Auditing
     
  5. Given Edward

    Given Edward Verified User

    #5
    Nov 7, 2011
    Joined: Jan 11, 2011
    Messages: 852
    Likes Received: 2
    Trophy Points: 35
    Tatizo watu wenyewe HAWAAMBILIKI!
     
  6. Given Edward

    Given Edward Verified User

    #6
    Nov 8, 2011
    Joined: Jan 11, 2011
    Messages: 852
    Likes Received: 2
    Trophy Points: 35
    Hata hivyo, hakuna script ambayo ni 100% secure, or so they say.
     
  7. HT

    HT JF-Expert Member

    #7
    Nov 8, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    kuepuka SQL injection tumia parametric queries na u whitelist columns na tables unapotumia dynamic queries. I have written my custom framework with secure database class. I will write an article on db security strategy
     
  8. HT

    HT JF-Expert Member

    #8
    Nov 9, 2011
    Joined: Jul 29, 2011
    Messages: 1,899
    Likes Received: 3
    Trophy Points: 0
    mh! What about script that does not take any outside data?
     
  9. Given Edward

    Given Edward Verified User

    #9
    Nov 9, 2011
    Joined: Jan 11, 2011
    Messages: 852
    Likes Received: 2
    Trophy Points: 35
    its like saying a script will not have POST method, which is impossible unless the script is all about some biography.
     
  10. Given Edward

    Given Edward Verified User

    #10
    Aug 27, 2012
    Joined: Jan 11, 2011
    Messages: 852
    Likes Received: 2
    Trophy Points: 35
    Any other tips on PHP security?
     
  11. UncleUber

    UncleUber JF-Expert Member

    #11
    Aug 27, 2012
    Joined: Apr 25, 2011
    Messages: 4,922
    Likes Received: 54
    Trophy Points: 145
    GIVENALITY naona jana kuonana na ma Geek umekuja fresh.............thumbs up
     
    Last edited by a moderator: Jan 4, 2016
  12. Given Edward

    Given Edward Verified User

    #12
    Aug 27, 2012
    Joined: Jan 11, 2011
    Messages: 852
    Likes Received: 2
    Trophy Points: 35
    Well, we exchanged a lot of ideas and hatujazidiana sana kiuwezo. Besides, hii thread niliianzisha November mwaka jana :)
     
  13. UncleUber

    UncleUber JF-Expert Member

    #13
    Aug 28, 2012
    Joined: Apr 25, 2011
    Messages: 4,922
    Likes Received: 54
    Trophy Points: 145
    okey okey
     
Loading...