Chapter 2: Understanding and Avoiding Security Risks
Identifying the Sources of Risk
Minimizing User-Input Risks
Not Revealing Sensitive Information
Summary
Chapter 3: PHP Best Practices
Best Practices for Naming Variables and Functions
Best Practices for Function/Method
Best Practices for Database
Best Practices for User Interface
Best Practices for Documentation
Best Practices for Web Security
Best Practices for Source Configuration Management
Summary
Part II
Chapter 4: Architecture of an Intranet Application
Understanding Intranet Requirements
Building an Intranet Application Framework
Creating a Database Abstraction Class
Creating an Error Handler Class
Creating a Built-In Debugger Class
Creating an Abstract Application Class
Creating a Sample Application
Summary
Chapter 5: Central Authentication System
How the System Works
Creating an Authentication Class
Creating the Central Login Application
Creating the Central Logout Application
Creating the Central Authentication Database
Testing Central Login and Logout
Making Persistent Logins in Web Server Farms
Summary
Chapter 6: Central User Management System
Identifying the Functionality Requirements
Creating a User Class
User Interface Templates
Creating a User Administration Application
Creating a User Password Application
Creating a Forgotten-Password Recovery Application
Summary
Chapter 7: Intranet System
Identifying Functionality Requirements
Designing the Database
Designing and Implementing the Intranet Classes
Setting Up Application Configuration Files
Setting Up the Application Templates
Intranet Home Application
Installing Intranet Applications from the CD- ROM
Testing the Intranet Home Application
Summary
Chapter 8: Intranet Simple Document Publisher
Identifying the Functionality Requirements
The Prerequisites
Designing the Database
The Intranet Document Application Classes
Setting up Application Configuration Files
Setting Up the Application Templates
The Document Publisher Application
Installing Intranet Document Application
Testing Intranet Document Application
Summary
Chapter 9: Intranet Contact Manager
Functionality Requirements
Understanding Prerequisites
The Database
The Intranet Contact Manager Application Classes
The Application Configuration Files
The Application Templates
The Contact Category Manager Application
The Contact Manager Application
Installing Intranet Contract Manager
Testing Contract Manager
Summary
Chapter 10: Intranet Calendar Manager
Identifying Functionality Requirements
Understanding Prerequisites
Designing the Database
The Intranet Calendar Application Event Class
The Application Configuration Files
The Application Templates
The Calendar Manager Application
The Calendar Event Manager Application
Installing the Event Calendar on Your Intranet
Testing the Event Calendar
Summary
Chapter 11: Internet Resource Manager
Functionality Requirements
Understanding the Prerequisites
Designing the Database
Designing and Implementing the Internet Resource Manager Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating a Category Manager Application
Creating a Resource Manager Application
Creating a Resource Tracking Application
Creating a Search Manager Application
Installing an IRM on Your Intranet
Testing IRM
Security Concerns
Summary
Chapter 12: Online Help System
Functionality Requirements
Understanding the Prerequisites
Designing and Implementing the Help Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Help Indexing Application
Creating the Help Application
Installing Help Applications
Testing the Help System
Security Considerations
Summary
Part III
Chapter 13: Tell-a-Friend System
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Tell- a- Friend Application Classes
Creating Application Configuration Files
Creating Application Templates
Creating the Tell-a-Friend Main Menu Manager Application
Creating a Tell-a-Friend Form Manager Application
Creating a Tell-a-Friend Message Manager Application
Creating a Tell-a-Friend Form Processor Application
Creating a Tell-a-Friend Subscriber Application
Creating a Tell-a-Friend Reporter Application
Installing a Tell-a-Friend System
Testing the Tell-a-Friend System
Security Considerations
Summary
Chapter 14: E-mail Survey System
Functionality Requirements
Architecture of the Survey System
Designing the Database
Designing and Implementing the Survey Classes
Designing and Implementing the Survey Applications
Developing Survey Execution Manager
Setting Up the Central Survey Configuration File
Setting Up the Interface Template Files
Testing the Survey System
Security Considerations
Summary
Chapter 15: E-campaign System
Features of an E-campaign System
Architecting an E-campaign System
Designing an E-campaign Database
Understanding Customer Database Requirements
Designing E-campaign Classes
Creating Common Configuration and Resource Files
Creating Interface Template Files
Creating an E-campaign User Interface Application
Creating a List Manager Application
Creating a URL Manager Application
Creating a Message Manager Application
Creating a Campaign Manager Application
Creating a Campaign Execution Application
Creating a URL Tracking and Redirection Application
Creating an Unsubscription Tracking Application
Creating a Campaign Reporting Application
Testing the E-Campaign System
Security Considerations
Summary
Part IV
Chapter 16: Command-Line PHP Utilities
Working with the Command-Line Interpreter
Building a Simple Reminder Tool
Building a Geo Location Finder Tool for IP
Building a Hard Disk Usage Monitoring Utility
Building a CPU Load Monitoring Utility
Summary
Chapter 17: Apache Virtual Host Maker
Understanding an Apache Virtual Host
Defining Configuration Tasks
Creating a Configuration Script
Developing makesite
Installing makesite on Your System
Testing makesite
Summary
Chapter 18: BIND Domain Manager
Features of makezone
Creating the Configuration File
Understanding makezone
Installing makezone
Testing makezone
Summary
Part V
Chapter 19: Web Forms Manager
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Web Forms Manager Application Classes
Creating the Application Configuration Files
Creating Application Templates
Creating the Web Forms Submission Manager Application
Creating the Web Forms Reporter Application
Creating the CSV Data Exporter Application
Installing the Web Forms Manager
Testing the Web Forms Manager
Security Considerations
Summary
Chapter 20: Web Site Tools
Functionality Requirements
Understanding Prerequisites
Designing the Database
Designing and Implementing the Voting Tool Application Class
Creating the Application Configuration Files
Creating the Application Templates
Creating the Vote Application
Installing the Voting Tool
Testing the Voting Tool
Summary
Part VI
Chapter 21: Speeding Up PHP Applications
Benchmarking Your PHP Application
Buffering Your PHP Application Output
Compressing Your PHP Application Output
Caching Your PHP Applications
Summary
Chapter 22: Securing PHP Applications
Controlling Access to Your PHP Applications
Securely Uploading Files
Using Safe Database Access
Recommended php.ini Settings for a Production Environment
Limiting File System Access for PHP Scripts
Running PHP Applications in Safe Mode
Summary
Part VII
Appendix A: What's on the CD-ROM
System Requirements
What's on the CD
Troubleshooting
Appendix B: PHP Primer
Object-Oriented PHP
Appendix C: MySQL Primer
Using MySQL from the Command- Line
Using phpMyAdmin to Manage MySQL Database
Appendix D: Linux Primer
Installing and Configuring Apache 2.0
Installing and Configuring MySQL Server
Installing and Configuring PHP for Apache 2.0
Common File/Directory Commands
Index
Wiley Publishing, Inc. End-User License Agreement
Nội dung
// some code to verify coupon code echo “Check if user given coupon is valid or not.<br>”; return ($code % 1000 == 0) ? TRUE : FALSE; } function isCustomer() { // a function to determine if current user // user is a customer or not. // not implemented. echo “Check if user is a customer or not.<br>”; return FALSE; } ?> When this script is run as http://server/bad_autovars.php?couponCode=2000 it checks to see if the coupon code is valid. The is_coupon() function takes the user given coupon code and checks if the given code is completely divisible by 1000 or not. Code that are divisible by 1000 are considered valid and the function returns TRUE else it returns FALSE. If the coupon code is valid, it checks whether the current user is a customer. If the current user is a customer, it shows a message indicating that the customer is a winner. If the current user is not a customer, it shows the following: Check if user given coupon is valid or not. Check if user is a customer or not. Sorry you did not win! Because we didn’t implement the isCustomer() function, we return FALSE at all times, so there’s no way we should ever show a message stating that the current user is a winner. But alas! Look at the following request: http://server/bad_autovars.php?couponCode=1001&is_customer=1 Even with an invalid coupon, the user is able to see the following message: Check if user given coupon is valid or not. You are a lucky customer. You won big today! Chapter 2: Understanding and Avoiding Security Risks 31 04 549669 ch02.qxd 4/4/03 9:24 AM Page 31 Do you know why the user is able to see the preceding message? Because this user has supplied is_customer=1, which became an automatic variable and forced the winner message to appear. This type of trick can be done only with strong knowledge of the application being used. For example, if this was a free script widely used by many sites, a malicious hacker could force it to get what he wants. This example demonstrates that automatic variables can be tricked into doing things that are not intended by the programmers, so we need to have a better way of getting user data. Thankfully, PHP 4.2 or above by default do not create auto- matic variables. Creating automatic variables is turned off in the php.ini configu- ration file using the following configuration parameter: register_globals = Off When register_globals is off by default, PHP does not create automatic variables. So how can you get data from the user? Very easily using $_GET, $_POST, $_REQUEST, $_SERVER, $_SESSION, $_ENV, and $_COOKIE. Table 2-1 shows which of these variables correspond to what input of a request. TABLE 2-1 PHP GLOBAL-REQUEST-RELATED AUTOMATIC VARIABLES Variable Description $_GET Used for storing data passed via HTTP GET method. For example, http://server/any.php?a=1&b=2 will result in $_GET[‘a’] = 1; $_GET[‘b’] = 2; $_POST Used for storing data passed via HTTP POST method. For example: <form action=”any.php” method=”POST”> <input type=text name=”email”> <input type=hidden name=”step” value=”2”> </form> When this form is submitted, the any.php will have $_POST[‘email’] = user_supplied_email $_POST[‘step’] = 2 $_REQUEST Works for both GET and POST. This variable is the best choice because it will work with your application whether data is submitted via the GET method or the POST method. $_SESSION Stores session data. $_COOKIE Stores cookie data. 32 Part I: Designing PHP Applications 04 549669 ch02.qxd 4/4/03 9:24 AM Page 32 Variable Description $_ENV Stores environment information. $_FILES Stores uploaded file information. $GLOBALS All global variables that are stored in this associative array. Now let’s implement bad_autovars.php without the automatic field variables as shown in Listing 2-4. Listing 2-4: autovars_free.php <?php // Enable all error reporting error_reporting(E_ALL); // Initialize $is_customer = FALSE; // Get coupon code $couponCode = (! empty($_REQUEST[‘couponCode’])) ? $_REQUEST[‘couponCode’] : null; if (is_coupon($couponCode)) { $is_customer = isCustomer(); } if ($is_customer) { echo “You are a lucky customer\n”; echo “You win big today!\n”; } else { echo “Sorry you do not win!\n”; } function is_coupon($code = null) { // some code to verify coupon code echo “Check if user given coupon is valid or not <br>”; return ($code % 1000 == 0) ? TRUE : FALSE; Continued Chapter 2: Understanding and Avoiding Security Risks 33 04 549669 ch02.qxd 4/4/03 9:24 AM Page 33 Listing 2-4 (Continued) } function isCustomer() { // a function to determine if current user // user is a customer or not. // not implemented. echo “Check if user is customer <br>”; return FALSE; } ?> <?php // Enable all error reporting error_reporting(E_ALL); // Initialize $is_customer = FALSE; // Get coupon code $couponCode = (! empty($_REQUEST[‘couponCode’])) ? $_REQUEST[‘couponCode’] : null; if (is_coupon($couponCode)) { $is_customer = isCustomer(); } if ($is_customer) { echo “You are a lucky customer\n”; echo “You win big today!\n”; } else { echo “Sorry you do not win!\n”; } function is_coupon($code = null) { // some code to verify coupon code echo “Check if user given coupon is valid or not <br>”; return ($code % 1000 == 0) ? TRUE : FALSE; } function isCustomer() { // a function to determine if current user // user is a customer or not. 34 Part I: Designing PHP Applications 04 549669 ch02.qxd 4/4/03 9:24 AM Page 34 // not implemented. echo “Check if user is customer <br>”; return FALSE; } ?> Here $is_customer is first initialized to FALSE, which makes it impossible for the user to set it using the GET or POST method. Next, improvement is made by using the $_REQUEST[‘couponCode’] to get the coupon data. With this version, the user can’t force $is_customer to any value and, therefore, the code works as intended. Using validation code In addition to getting user data from $_REQUEST, you also need to validate user input, because it may contain unwanted patterns that cause security problems. Sometimes programmers confuse validation with cleanup. Earlier, in Listing 2-2 (better_whois.php), we used escapeshellcmd() to escape any user-provided shell characters. This would qualify as a cleanup or quarantine operation. A valida- tion operation checks the validity of the data and, if it’s invalid, the script rejects it instead of fixing it. For example, say you have a PHP script that expects a data field called num1. You can do a test like the following: if (!is_numeric($_REQUEST[‘num1’])) { // User supplied num1 not a number! } There are many built-in functions, such as is_numeric(), is_int(), is_float(), is_array(), and so forth, that you can use to perform validation. However, often you want to validate a number or string from a different prospec- tive. For example, e-mail addresses are strings, but not all strings are e-mail addresses. To validate e-mail addresses, you need a validation function for e-mail address. Similarly, ZIP codes are special type of numbers with nnnnn or nnnnn- nnnn formats. For validating ZIP codes, you would need to create custom validation functions. Your validation functions should return TRUE for valid data and FALSE for invalid data. The following is a simple structure of a validation function: function isValidFIELDNAME($fieldValue = null) } // Perform validation code here // You must return TRUE here if valid. // Default is false return FALSE; } Chapter 2: Understanding and Avoiding Security Risks 35 04 549669 ch02.qxd 4/4/03 9:24 AM Page 35 . associative array. Now let’s implement bad_autovars .php without the automatic field variables as shown in Listing 2-4. Listing 2-4: autovars_free .php < ?php // Enable all error reporting error_reporting(E_ALL); //. request. TABLE 2-1 PHP GLOBAL-REQUEST-RELATED AUTOMATIC VARIABLES Variable Description $_GET Used for storing data passed via HTTP GET method. For example, http://server/any .php? a=1&b=2 will. For example: <form action=”any .php method=”POST”> <input type=text name=”email”> <input type=hidden name=”step” value=”2”> </form> When this form is submitted, the any .php will have $_POST[‘email’]