Table of Contents for
Essential PHP Security
Essential PHP Security
Published by
O'Reilly Media, Inc., 2005
- Cover
- Essential PHP Security
- Essential PHP Security
- Foreword
- Preface
- 1. Introduction
- 2. Forms and URLs
- 3. Databases and SQL
- 4. Sessions and Cookies
- 5. Includes
- 6. Files and Commands
- 7. Authentication and Authorization
- 8. Shared Hosting
- A. Configuration Directives
- B. Functions
- C. Cryptography
- About the Author
- Index
- About the Author
- Colophon
- Copyright
Index
A note on the digital index
A link in an index entry is displayed as the section title in which that entry appears. Because some sections have multiple index markers, it is not unusual for an entry to have several links to the same section. Clicking on any link will take you directly to the place in the text in which the marker appears.
Symbols
- $clean array, Filter Input
- $html array, Escape Output
- $_COOKIE array, Filter Input
- $_FILES array, File Upload Attacks
- $_GET array, Register Globals, Filter Input, Filter Input
- $_POST array, Register Globals
- identifying source of, Filter Input
- preventing CSRF attacks using, Cross-Site Request Forgeries, Spoofed Form Submissions
- $_PUT array, Filter Input
- $_REQUEST array, Cross-Site Request Forgeries
- $_SERVER array, Filter Input, Exposed Source Code
- $_SESSION array, Cookie Theft
- .inc file extension, Exposed Source Code
- .php file extension, Backdoor URLs
- “clean” as variable name, preventing, Filter Input
A
- access control (authorization), Command Injection
- access credentials for database
- exposed, Databases and SQL
- storing, Exposed Source Code
- addslashes() function, Escape Output
- allow_url_fopen directive, Remote File Risks, allow_url_fopen, file()
- Apache
- denying requests for includes, SQL Injection
- include file location and, Exposed Access Credentials
- Apache Security (Ristic), Exposed Source Code
- Applied Cryptography (Schneier), Storing Passwords
- arrays, superglobal, Register Globals, Filter Input
- authentication, Authentication and Authorization
- before critical actions, Principles
- brute force attacks on, Brute Force Attacks
- password sniffing, Password Sniffing
- persistent logins, Persistent Logins
- replay attacks, Replay Attacks
- requiring before sensitive transactions, Persistent Logins
- tokens for, Persistent Logins
- authentication cookie, Persistent Logins
- authorization (access control), Command Injection
- author’s web site and blog, PHP Features
B
- backdoor URLs, Backdoor URLs
- basename() function, Filter Input, Code Injection, Remote File Risks
- best practices for security, Balance Risk and Usability
- browsers
- embedded resources, requests for, Cross-Site Request Forgeries
- vulnerabilities in, causing cookie exposure, Cookie Theft
- brute force attacks, Authentication and Authorization
C
- client-side scripting
- cookies accessible with, Exposed Session Data
- hashing password with, Persistent Logins
- code injection, Code Injection
- command injection, Command Injection, exec()
- complexity, avoiding, Simple Is Beautiful
- constants, trustworthiness of data in, Forms and Data
- Cookie request header, Exposed Data
- cookies, Sessions and Cookies
- data sent in, Forms and Data
- providing access to resources, Persistent Logins
- specification for, Cookie Theft
- storing username and password in, Persistent Logins
- theft of, Cookie Theft
- credit card numbers, storing, Storing Credit Card Numbers
- critical actions, authentication before, Principles
- cross-site request forgery (CSRF), Cross-Site Request Forgeries
- cross-site scripting (XSS), Cross-Site Scripting
- cookie theft and, Cookie Theft, Exposed Session Data
- remote files and, Remote File Risks
- source of, Forms and URLs
- cryptography
- credit card numbers, Storing Credit Card Numbers
- data in database, Storing Credit Card Numbers
- mcrypt extension for, Using mcrypt
- passwords, Storing Passwords
- resources for, Storing Passwords
- role of, in securing applications, Storing Passwords
- session data, Storing Credit Card Numbers
- types of, Cryptography
- CSRF (cross-site request forgery), Cross-Site Request Forgeries
D
- data
- escaped, naming convention for, Escape Output
- escaping, Escape Output, Spoofed HTTP Requests, SQL Injection, magic_quotes_gpc
- exposure of, minimizing, Minimize Exposure, Exposed Data, Exposed Session Data
- filtered
- identifying, Forms and Data
- naming convention for, Filter Input
- filtering input of, Filter Input, Spoofed HTTP Requests, SQL Injection
- from forms, Forms and Data
- invalid, correcting, Filter Input, Traversing the Filesystem
- tainted, Filter Input, Forms and Data
- tracking, Balance Risk and Usability
- trustworthiness of, determining, Filter Input, Forms and Data
- valid characters in, allowing only, Escape Output
- valid values of, allowing only, Filter Input
- database
- access credentials for
- exposed, Databases and SQL
- storing, Exposed Source Code
- automatic escaping by, Exposed Data
- escaping output to, Escape Output, Spoofed HTTP Requests, SQL Injection
- exposure of sensitive data in, Exposed Data
- filtering input from, Filter Input, Spoofed HTTP Requests, SQL Injection
- queries sent to
- as output to be escaped, Spoofed HTTP Requests
- SQL injection and, SQL Injection
- SQL injection and, SQL Injection
- storing encrypted data in, Storing Credit Card Numbers
- storing sensitive data in, Exposed Source Code
- storing session data in, Exposed Session Data
- supported by PHP, list of, Spoofed HTTP Requests
- Defense in Depth principle, Principles
- dictionary attacks, Brute Force Attacks
- directory tree, ascending, preventing, Filter Input
- disable_functions directive, allow_url_fopen
- display_errors directive, Register Globals, display_errors
- dl() function, display_errors
- document root
- considering to be public, Backdoor URLs
- not storing databases in, SQL Injection
- not storing includes in, Exposed Access Credentials, Backdoor URLs
- dynamic includes, Filename Manipulation, Code Injection
E
- email applications, vulnerabilities in, Semantic URL Attacks
- embedded resources
- exposing session identifier, Session Fixation
- launching CSRF attack using, Cross-Site Request Forgeries
- enable_dl directive, display_errors
- enctype attribute of form, File Upload Attacks
- errors, not displaying in browser, Register Globals, display_errors
- error_log directive, Register Globals, magic_quotes_gpc
- error_reporting directive, Register Globals, Error Reporting, display_errors
- escaped output, naming convention for, Escape Output
- escaping output, Escape Output, Spoofed HTTP Requests, SQL Injection, magic_quotes_gpc
- eval() function, eval()
- exceptions, Error Reporting
- exec() function, Command Injection, exec()
- exposure, minimizing, Minimize Exposure
F
- file() function, exec()
- filenames
- manipulation of, Filename Manipulation
- tainted, Files and Commands
- files
- remote, referencing as local files, Remote File Risks, allow_url_fopen
- restricting opens to specific directory, open_basedir
- traversal, preventing, Filter Input, Traversing the Filesystem
- upload attacks, File Upload Attacks
- uploading, enabling, display_errors
- filesize() function, Cross-Site Scripting
- filesystem browsing, Filesystem Browsing
- file_get_contents() function, Remote File Risks, file_get_contents()
- file_uploads directive, display_errors
- filtered data
- identifying, Forms and Data
- naming convention for, Filter Input
- filtering data
- as input, Filter Input, Databases and SQL, SQL Injection
- for dynamic includes, Filename Manipulation, Code Injection
- fopen() function, Traversing the Filesystem, file_get_contents()
- forms
- forcing use of, to avoid CSRF attack, Cross-Site Request Forgeries
- spoofing, Spoofed Form Submissions
- tokens in, preventing CSRF attacks, Cross-Site Request Forgeries
- trustworthiness of data sent in, Forms and Data
- uploading data using, File Upload Attacks
- functions, disabling, allow_url_fopen
G
- GET data, trustworthiness of, Forms and Data
- global variables, created by register_globals directive, Register Globals
H
- hashed password, replaying, Persistent Logins
- htmlentities() function, Escape Output, Cross-Site Request Forgeries
- htmlspecialchars() function, Escape Output
- HTTP headers, data sent in, Forms and Data
- HTTP requests
- brute force attacks using, Brute Force Attacks
- spoofing, Spoofed HTTP Requests
- HTTP, as stateless protocol, Exposed Data
- httpd.conf file, Apache, Exposed Access Credentials
- https scheme, Password Sniffing
I
- images, launching CSRF attack using, Cross-Site Request Forgeries
- includes
- code injection and, file_get_contents()
- denying requests for, Backdoor URLs
- dynamic, Filename Manipulation, Code Injection
- exposed source code resulting from, Exposed Source Code
- not storing in document root, Exposed Access Credentials
- obtaining location of source code using, Safe Mode
- processing as PHP files, Backdoor URLs
- remote, referencing as local, Remote File Risks
- input
- displaying, risks associated with, Cross-Site Scripting
- filtering, Filter Input, Databases and SQL, SQL Injection
- is_uploaded_file() function, File Upload Attacks
L
- Least Privilege principle, Simple Is Beautiful
- links, obtaining session identifier using, Session Fixation
- logins, persistent, Persistent Logins
- log_errors directive, Register Globals, magic_quotes_gpc
M
- magic_quotes_gpc directive, magic_quotes_gpc
- mcrypt extension, Storing Passwords, Using mcrypt
- mcrypt_create_iv() function, Using mcrypt
- mcrypt_decrypt() function, Using mcrypt
- mcrypt_encrypt() function, Using mcrypt
- mcrypt_list_algorithms() function, Using mcrypt
- MD5 algorithm, SQL Injection
- memory_limit directive, magic_quotes_gpc
- Microsoft Passport, example of vulnerability in, File Upload Attacks
- Minimize Exposure principle, Minimize Exposure
- move_uploaded_file() function, File Upload Attacks
- multipart/form-data encoding, File Upload Attacks
- mycrypt_list_modes() function, Using mcrypt
- mysql_real_escape_string() function, Escape Output, SQL Injection
N
- naming convention
- for escaped data, Escape Output
- for filtered data, Filter Input
O
- open_basedir directive, open_basedir
- output, escaping, Escape Output
P
- Passport, example of vulnerability in, File Upload Attacks
- passthru() function, Command Injection, file_get_contents()
- passwords
- hashing, with client-side scripting, Persistent Logins
- reminders for, Using mcrypt
- sniffing, Password Sniffing
- storing in cookies, Persistent Logins
- storing in database, Using mcrypt
- PDO library, escaping performed automatically by, Exposed Data
- PEAR::DB library, escaping performed automatically by, Exposed Data
- persistent logins, Persistent Logins
- PHP manual, Safe Mode
- PHP Security Consortium, Introduction, Cookie Theft
- PHP, features of, Register Globals
- phpinfo() function, file_get_contents()
- popen() function, Command Injection, preg_replace()
- POST data, trustworthiness of, Forms and Data
- POST requests, for authentication forms, Replay Attacks
- post_max_size directive, File Upload Attacks
- practices for security, Balance Risk and Usability
- prediction, obtaining session identifer using, Exposed Session Data
- preg_replace() function, preg_replace()
- presentation attacks, Replay Attacks
- principles of security, Principles
- privileges, allowing least necessary, Simple Is Beautiful
- proc_open() function, preg_replace()
- protocol-level redirects, obtaining session identifier using, Session Fixation
- publications
- Apache Security (Ristic), Exposed Source Code
- Applied Cryptography (Schneier), Storing Passwords
Q
- queries to database
- as output to be escaped, Spoofed HTTP Requests
- SQL injection and, SQL Injection
R
- readfile() function, Safe Mode, preg_replace()
- realpath() function, Code Injection
- reauthentication before critical actions, Principles
- redundant safeguards, value of, Principles
- Referer header, not preventing spoofed forms, Spoofed HTTP Requests
- Refresh header, obtaining session identifier using, Session Fixation
- register_globals directive, Register Globals
- remote resources, reference as local files, allow_url_fopen
- remote systems
- escaping output to, Escape Output
- interactions with, Filter Input
- replay attacks, Replay Attacks
- risk, balancing with usability, Balance Risk and Usability
- Ristic, Ivan (Apache Security), Exposed Source Code
S
- safeguards, transparency of, Balance Risk and Usability
- safe_mode directive, limitations of, Safe Mode
- salting passwords, SQL Injection
- Schneier, Bruce (Applied Cryptography), Storing Passwords
- security, Introduction
- practices for, Balance Risk and Usability
- principles of, Principles
- SecurityFocus web site, Cookie Theft
- semantic URL attacks, Semantic URL Attacks
- sensitive transactions, requiring authentication for, Persistent Logins
- session data
- encrypting, Exposed Session Data, Storing Credit Card Numbers
- exposed, Exposed Session Data, Exposed Session Data
- managing, Cookie Theft
- whether to filter, Filter Input
- session fixation, Exposed Session Data
- session hijacking, Cookie Theft, Session Hijacking
- session identifier
- obtaining, Exposed Session Data
- regenerating at session initiation, Session Fixation
- regenerating for change in privilege, Session Fixation
- regenerating on every page, Session Hijacking
- session injection, Session Injection
- session_regenerate_id() function, Session Fixation
- session_set_save_handler() function, Exposed Session Data, Exposed Session Data, Session Injection, Storing Credit Card Numbers
- session_start() function, Cookie Theft
- Set-Cookie response header, Exposed Data
- SetEnv directive, Exposed Source Code
- set_error_handler() function, Error Reporting, Principles
- shared hosting
- exposed session data, Exposed Session Data
- exposed source code with, Exposed Source Code
- filesystem browsing, Filesystem Browsing
- safe_mode directive and, Safe Mode
- security level attainable with, Exposed Source Code
- session injection, Session Injection
- shell commands, command injection and, Command Injection
- shell_exec() function, Command Injection, preg_replace()
- Simple is Beautiful principle, Simple Is Beautiful
- source code, exposed, Exposed Source Code, Exposed Source Code
- spoofed form submissions, Spoofed Form Submissions
- spoofed HTTP requests, Spoofed HTTP Requests
- SQL injection, SQL Injection, Remote File Risks
- SQLite databases, not storing in document root, SQL Injection
- SSL
- minimizing exposed data, Exposed Session Data
- preventing password sniffing, Password Sniffing
- stateless protocol, disadvantages of, Exposed Data
- strings
- evaluating as PHP, eval()
- replacements using patterns, preg_replace()
- superglobal arrays, Register Globals, Track Data
- symmetric cryptography, Cryptography
- system commands, command injection and, Command Injection
- system() function, Command Injection, preg_replace()
T
- tainted data, Filter Input, Forms and Data
- telnet utility, spoofing HTTP requests using, Spoofed HTTP Requests
- throttling mechanism, Brute Force Attacks, Brute Force Attacks
- tokens
- for authentication, Persistent Logins
- in forms, Cross-Site Request Forgeries
- in URLs, Session Hijacking
- transparency of safeguards, Balance Risk and Usability
U
- uploading files
- attacks of, File Upload Attacks
- enabling, display_errors
- upload_max_filesize directive, File Upload Attacks
- URLs
- backdoor URLs, Backdoor URLs
- semantic URL attacks, Semantic URL Attacks
- tokens in, Session Hijacking
- trustworthiness of data sent in, Forms and Data
- usability, balancing with risk, Balance Risk and Usability
- user friendliness, balancing with risk, Balance Risk and Usability
- User-Agent header, Session Hijacking, Session Hijacking
V
- variables, trustworthiness of data in, Forms and Data
W
- web site resources
- author’s web site and blog, PHP Features
- cookies specification, Cookie Theft
- cryptography, Cryptography
- for this book, xi, PHP Features
- hosting service infrastructure security, Exposed Source Code
- PHP manual, Safe Mode
- PHP Security Consortium, Introduction, Cookie Theft
- SecurityFocus, Cookie Theft
- web-based email applications, vulnerabilities in, Semantic URL Attacks
- whitelist approach for filtering, Filter Input