Slashdot Mirror


PHP and SQL Security

An anonymous reader writes "PHP and SQL Security are being proven more weak every day. Uberhacker.Com is running a PHP and SQL security research project to raise awareness of secure scripting. The site hosts guides to secure PHP programming, forums, and scripting challenges to see who can create the most secure scripts."

16 of 305 comments (clear)

  1. A bad workman blames his tools by dorward · · Score: 5, Insightful

    Looks more like "Scripts people write using PHP and SQL without understanding security issues are being proven more weak every day." to me.

    1. Re:A bad workman blames his tools by quigonn · · Score: 5, Insightful

      Well, sometimes you can simply blame the tools. Or would you blame the workman who cuts off his arm with the buzz saw's totally unprotected blade?

      The same is valid for programming languages, with some it's just easier to shoot yourself in the foot when you make a mistake. One example are buffer overflows and C: it's so easy to mistakenly write code that produces one, while in other languages like Ada or Perl it's virtually impossible.

      The same goes for PHP and SQL, which is shown everyday on the usual mailing lists like Bugtraq or full-disclosure.

      --
      A monkey is doing the real work for me.
  2. No. by mfh · · Score: 5, Insightful

    PHP and MySQL are not weak; faux programmers are weak. Purification of incoming data is essential, and often ignored by novice script-writers, and that's the problem. SQL injections are common among novice coders, and they can slip past even competent coders, but a strict design engine for passing SQL vars using $_REQUEST, and turning off register_globals, will result in better results.

    Essentially, the problem is with those making insecure scripts, not the whole PHP and SQL system.

    --
    The dangers of knowledge trigger emotional distress in human beings.
    1. Re:No. by leandrod · · Score: 5, Insightful
      > Object oriented programming should prevent this

      Security comes from simplicity, not complexity. And security should start at the DBMS level, not be left to applications.

      --
      Leandro Guimarães Faria Corcete DUTRA
      DA, DBA, SysAdmin, Data Modeller
      GNU Project, Debian GNU/Lin
    2. Re:No. by mfh · · Score: 5, Informative
      > Always check user input as much as is possible. Probably at least two-thirds of my programming is input data verification.

      Good. You are off to the right start, but with better function programming, you will find yourself writing more feature code than purification code.

      Things to look for:
      • Push 99% of all expected/selectable data into tables with a record_id, so you can easily purify the incoming data:

        function npurify(&$text){
        if(!is_numeric($text)) $text = 1;
        }

        Protects against SELECT SQL injection attacks.

      • Snuff out > and < chars so that they can't contain the Script HTML tag when purifying data. Replacing these characters with their html entities usually works; ie:
        > becomes &gt;
        < becomes &lt;
      • Convert data in your database to base_64 and gzdeflate it:
        $data = base64_encode(gzdeflate($data));
        This will prevent the problems with escaping quotes and apostrophes for SQL, and it will kill any SQL injections in your data.
      • Use better logic for testing incoming data;
        if($this) {perform action}... will limit your chances of having to cope with scipt injections because you are only testing for the existence of a condition, and not the value of the data.
      • Run bitchecking against acceptable alphabets for purification of character values. Gauge to have good CPU usage of this sort of thing.

        // blanks out unaccepted characters
        $alphabet = '`ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuv wxyz01234567890~!@#$%^&*()_+=-,.<>?/|;:\'"'.chr(92 ).chr(10);
        $sizestr = strlen($text);
        $sizestr--;
        for($i = 0; $i <= $sizestr; $i++) {
        if(strstr($alphabet, $text[$i])) {
        continue;
        }else{
        $text[$i] = ' ';
        }
        }

      • Code a good link converter, so you don't have to accept HTML in posts, and you don't need to accept any HTML.
      • There are likely more, but these are the big ones.

      > Always escape text which is going into an SQL query

      I prefer to write my own SQL text, based on input values. That way you are never using data submitted for the SQL query. The only time they would really submit values would be when they are sending in a username and password, but in that case, you should be extremely stringent in purification by only accepting alphanumeric usernames and passwords (ie: run the alphabet function above, but erase all non-alphanumeric chars from the $ALPHABET var).

      > Use htmlspecialchars() on any text that's being output, to stop users putting rogue HTML

      htmlspecialchars() doesn't always work. I prefer using the example above, by limiting the characters allowed and disallowing HTML in the form of post body/subject data. Converting everything to base64 will make it nearly impossible to script attack the database, too.

      > Put database usernames, passwords, pathnames and other similarly important but site-specific data in a define()

      I disagree, because I use the $_SESSION array instead, which can not be changed by a user if the session cookie is server-side. Sessions can be scooped by sniffers, but that can be managed by your host's security, to prevent it. Certainly change the locale for session data from /tmp/, because that narrows down hack attempts, making it all the more harder to compromise the system.

      > Never include() or require() something that isn't a hard-coded string

      To me, this isn't totally required if you have suitable purification, but that extra bit of paranoia is welcomed, because it shows true fear and that is acceptable in any kind of programming. That sort of humility is welcomed because it demonstrates a compassion for the task at hand.

      > Be hugely care

      --
      The dangers of knowledge trigger emotional distress in human beings.
  3. Ease of introduction by holzp · · Score: 5, Insightful

    I think a lot of the blame for this can be traced to the ease of getting started with PHP/MySQL. Result: more people learning how to program with php will of course result in less thought about security. Add the ability to have input arguments via the http request be automagically available to the running code shares a lot of the blame too. Put them togeather and thats a disaster.

  4. "more weak"? by Junks+Jerzey · · Score: 5, Funny

    How about "weaker" :P

  5. Should I submit this one? by blcamp · · Score: 5, Funny

    This one is pretty secure...

    <?php

    // Try to break into this script!
    echo "Hello World!";

    ?>

    --
    The problem with socialism is that they always run out of other people's money. - Margaret Thatcher
  6. magic_quotes by ftzdomino · · Score: 5, Funny

    You could also enable magic_quotes in your php.ini. However, if you\'re too dumb to know the basics of sql, chances are your program won\'t work quite right.

  7. I can't take a security sight seriously that... by bbzzdd · · Score: 5, Funny

    uses MS Comic font for their articles. Sorry.

    1. Re:I can't take a security sight seriously that... by daeley · · Score: 5, Funny

      Never mind that, they're using a tag to achieve it! The horror! ;)

      --
      I watched C-beams glitter in the dark near the Tannhauser gate.
  8. Guides to Secure Programming? by JumboMessiah · · Score: 5, Informative

    Other than the scripting challenge, what's on this site? I've read the guides to hacking, but it's all a bunch of kindergarden material. Seems if you follow the guides you'll certainly have insecure PHP scripts with all kinds of SQL injection. How about posting some real articles on secure PHP scripting...

  9. Re: cutting off an arm by sczimme · · Score: 5, Interesting


    Or would you blame the workman who cuts off his arm with the buzz saw's totally unprotected blade?

    Yes, I would: he was obviously doing something with the saw that was inappropriate; what saw-oriented task [when done correctly] involves waving it at one's own arm?* The fact that the blade was unprotected is irrelevant since he should have known it was unprotected and therefore dangerous. All tools can be used stupidly, and oddly enough the results really can be the fault of the operator. It is also possible for fault to lie in more than one area.

    Yes, I know the traditional definition of 'hacking' includes making $ITEM do something it was not intended to do, but there are limits.

    * I'm guessing that 'buzz-saw' == 'circular saw'.

    --
    I want to drag this out as long as possible. Bring me my protractor.
  10. 404d! by michael+path · · Score: 5, Funny

    Maybe someone can write a PHP script to take care of the 404 error that occurs when you click on the "home" link on Uberhacker.com.

    Bad Design Überalles.

  11. SQL Injection in PHP by uss_valiant · · Score: 5, Informative

    AFAIK SQL injection can be prevented by binding the parameters to the SQL statement and not putting them within SQL.
    An example:
    It's easy to inject some malicious SQL when using the following PHP code:
    mysql_query("INSERT INTO FOO('Bar') VALUES('$some_post_param');");
    But if you prepare the SQL statement with parameters and bind the variable $some_post_param to the statement, it will be secure.
    see mysql manual for mysqli_stmt_bind_param() aka bind_param
    $stmt = $mysqli->prepare("INSERT INTO CountryLanguage VALUES (?, ?, ?, ?)"); $stmt->bind_param('sssd', $code, $language, $official, $percent);

    I know this concept from Perl DBI, but in PHP I haven't seen anyone (phpBB, ...) using bind_param. Why is this? Performance? Keeping the code short and simple?

    As for general webserver security: use PHP and perl as cgi, use suEXEC, run the webserver as nobody/www, put the users into chroot jails, but by all means, don't use PHP safe_mode On.

  12. Nope by kuzb · · Score: 5, Insightful

    This is not an issue dealing with PHP and MySQL, this is an issue with weak programmers writing bad code, and I'm sorry to say, you find it in every language. As a regular in #php on freenode, we are constantly correcting bad coding practices.

    In fact, it's not uncommon to find people using GET and POST variables straight out of the box without any kind of validation whatsoever. Many people do not learn the de-facto first rule of web programming: the user can not, and should never be trusted.

    To make matters worse, applications like PHP-Nuke spring up which are notorious for sloppy coding practices, and people tend to see them as reflect on the PHP community as a whole. That's like blaming the C language because someone, one day, wrote some bad code in it that got someone else hacked. This happens all the time, but we don't make claims like "C security is weak". Instead, we worry about the truth of it, that the programmer in question did a bad job, or just flat out missed something.

    One of the key points that seems to trip most novices up (and granted, this is one of the stupider moves presented by the PHP Core Development team) was a thing called magic_quotes_gpc, which attempts to auto-escape incoming GET, POST and COOKIE variables in an attempt to sanitize user input. This is usually a double-edge sword because newbies are typicly not aware if it is, or isn't on. In later versions, this is on by default, and does prevent many SQL injections from occuring. However, for the more experienced user, having your input auto-munged can be something of a pain. Unfortunatly, to write truely portable code one must test this value and normalize data accordingly.

    The issues don't stop there though. I've seen many a more serious faux pas committed by the newbie. Another more serious flaw that I see happen on a regular basis is the use of user data within include statements without proper path checking. This is probably one of the more disasterous errors I see occuring because it typicly exposes sensitive data. There has been more than one occasion where i've shown a user their own passwd file in a browser to make my point.

    Anyhow, to the newbies: we, the more experienced people of PHP are on our own quest to educate people, many times in a one-on-one basis on Freenode. If you're not sure about a particular issue, grab an IRC client and ASK US (irc://irc.freenode.net). We're there to help!

    --
    BeauHD. Worst editor since kdawson.