SQL & PHP Security by Andrew J. Bennieston

Whether your site is the web presence for a large multinational, a gallery showing your product range and inviting potential customers to come into the shop, or a personal site exhibiting your holiday photos, web security always matters. After the hard work you’ve put in to make your site look good and respond to your users, the last thing you’d want is for a hacker to come along and somehow ruin it.

There are a number of problems in web security, and unfortunately not all of them have definite solutions – this white paper examines some of these problems every time you set out to write a PHP script to ensure PHP security. These are the problems which, with well-designed and properly sanitized code, can be eliminated entirely.

1. Introduction - Web Security: The Big Picture

The web is the future in business; from e-commerce to Internet Banking, from art galleries to restaurant menus and opening times, the web is becoming an essential aspect of business. Where websites must be automated, or dynamic, a number of web application solutions exist, but each of these brings with it a set of security considerations.

There are a number of problems in web security, and unfortunately not all of them have definite solutions, but this looks at some of the problems that should be considered every time you set out to write a PHP script so you can ensure PHP security on your site. These are the problems which, with well-designed code, can be eliminated entirely. Before looking in detail at the solutions, though, lets take a moment to define the problems themselves.

1.1 SQL Injection

SQL Injection – Note that the quoted string is ended after the word Injection, and another quoted string begins at the end. This matches up with the quoting already present in the web application itself, otherwise the SQL would be incorrect and an error would occur.

In an SQL Injection attack, a user is able to execute SQL queries in your website's database. This attack is usually performed by entering text into a form field which causes a subsequent SQL query, generated from the PHP form processing code, to execute part of the content of the form field as though it were SQL. The effects of this attack range from the harmless (simply using SELECT to pull another data set) to the devastating (DELETE, for instance). In more subtle attacks, data could be changed, or new data added.

1.2 Directory Traversal

This attack can occur anywhere user-supplied data (from a form field or uploaded filename, for example) is used in a filesystem operation. If a user specifies “../../../../../../etc/passwd” as form data, and your script appends that to a directory name to obtain user-specific files, this string could lead to the inclusion of the password file contents, instead of the intended file. More severe cases involve file operations such as moving and deleting, which allow an attacker to make arbitrary changes to your filesystem structure.

Directory Traversal – Interpretation of the special directory names . and .. can be used to alter the interpretation of a complete path.

1.3 Authentication Issues

Authentication issues involve users gaining access to something they shouldn't, but to which other users should. An example would be a user who was able to steal (or construct) a cookie allowing them to login to your site under an Administrator session, and therefore be able to change anything they liked.

Authentication - Stolen cookies, or URL based authentication, can sometimes be used to gain access to areas of a website which should be restricted.

1.4 Remote Scripts (XSS)

XSS or Cross-Site Scripting (also sometimes referred to as CSS, but this can be confused with Cascading Style Sheets, something entirely different!) is the process of exploiting a security hole in one site to run arbitrary code on that site's server. The code is usually included into a running PHP script from a remote location. This is a serious attack which could allow any code the attacker chooses to be run on the vulnerable server, with all of the permissions of the user hosting the script, including database and filesystem access.

Download the entire  PHP Security White Paper to find out more.

Download the Free Edition of Acunetix Web Security Scanner and find out today if your PHP applications are hackable!