Working with Files

If at any point in your Web application you are working with files, there is a possible danger. A lot of CMS (content management systems) work with URLs like this:

http://servername/renderer.php?template=whatever.xml

So far, so good, but what happens if a nonexisting filename is provided?

http://servername/renderer.php?template=does-not-exist.xml

A PHP error message such as could not open stream should be avoided. Catch the error and provide a custom error message or maybe even an automated email to the Webmastereither it's a dead link or it might be a cracking attempt, but both scenarios are worth noticing.

However, there is one more thing to note. Imagine the same script is called like this:

http://servername/renderer.php?template=/etc/passwd

or like this:

http://servername/renderer.php?template=../../../../etc/passwdp

If you just read in a template, replace some placeholders, and then print everything to STDOUT, some sensitive files might be at risk. Therefore, do not only check whether an existing file is to be opened, also check whether the file may be opened.

Note, too, that each file operation is a system call. Maybe someone tries to give you a shell command as a filename. Then this command would be executed, if you do no thorough checking. If in doubt, apply the PHP function escapeshellarg(), which puts single quotes around the parameter and escapes special characters.

Working with Databases

Extremely nasty security flaws occur when databases come into play. On many pages, something like this appears:

db_query("SELECT * FROM table WHERE id=" . $_GET["id"]);

Nice try, but what if the ID parameter has the value "0; DELETE FROM table"? Therefore, use at least quotes:

db_query("SELECT * FROM table WHERE id='" . $_GET["id"]) . "'";

But this code could be broken, as well; ID must just have this value: "'; DELETE FROM table; SELECT * FROM table WHERE id='".

It is fairly easy to guess how the parameter has to look to at least break the code. Just using an apostrophe generates error messages on far too many pages. Therefore, check user data; check SQL statements.

Some love it, some hate itPHP's magic quotes. To all special characters in user data, backslashes are added; "McDonald's" becomes "McDonald\'s", and so on. If magic quotes are turned on, you do not have to worry about adding slashes by yourself; if not, use addslashes(), which does the same task for you.

This is rather MySQL specific; some other database systems, however, offer two differences:

For this case, use one or more regular expressions to escape these characters:

$str = preg_replace("'", "''", $str);
<< Prev - Next >>



	
Tags:
 
Add more tags...,







 or Close 


 


	


	
	
	
	
		
This entry was posted on . You can follow any responses to this entry through the RSS 2.0 feed.
		
		 You can leave a comment.

		
		
		 Tags: Simple PHP, Pear, Easy PHP, PHP Tutorial, PHP MySQL, XSLT, Sap Tutorial, CSS Tutorial, XSL FO Java, SQL Tutorial.
		
		
		
		

	

	
	


      


        


		

		

		Users' Comments (0)
		
		

      

    

	
	


	 


	  


		
	  

     

	  


	   


	   

	   

	   		




Comment an article





			

			
			

			

			

			
				


				
  

				  


					


					
					  

					  Name

			      

				  			  

				  


					
   E-mail

			      

				  
				  	

				    

				  


					


					    

                      Title 

			      

				  	

				  
					


					  

					    
						

						
					

			      

				  
				  


					


					
Available characters: 4000

					

			      

				  
				  


					


					
					 Notify me of follow-up comments
									

					

			      

				  
				  


					
				

					


					Enter what you see:


					



					
					

			      

				  		

				  


					


			      

				

				

				

				

				

				

								

					

				

				

				



	   

	   

	  

	
No comment posted