Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 86 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
86
Dung lượng
2,64 MB
Nội dung
if ($part[1] <= 255 && $part[2] <= 255 && $part[3] <= 255 && $part[4] <= 255) return TRUE; # Valid IP } return FALSE; # Invalid IP } Conclusion Security is a state of mind. When you develop scripts you should be thinking about what you can do to make the scripts safer. A secure web server running on a secure server gets you a long way, but you still need to be security conscious yourself. TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 21 Magic With Quotes Magic quotes can be used to automatically encode external data, so that it can be used suavely in SQL queries. However, they do not present the best solution to the problem where they are applied. This chapter explains the basics of applying magic quotes, why they are necessary, and what alternative methods exist. Defining the Problem PHP scripts usually receive data from web clients. This data cannot be trusted, because malicious clients may send malformed data. It is therefore necessary to validate input data before processing it. Magic quotes help to ensure that input data is in a correct format before using it in SQL queries. SQL defines certain characters that have a special meaning. A malicious attacker can use these special characters to insert arbitrary SQL into your queries, which can lead to security holes. How can you protect your scripts from this potential security threat? The Conversion Process Special characters include '\' (backslash), '"' (double quote), and 'NUL'. These have a special meaning and could therefore cause misinterpretation by the SQL engine. To avoid this, each instance of a special character is prefixed by an escape character. The inbuilt PHP function addslashes() is called to prepend backslash characters to a specific set of characters in order to render them escaped. The following table lists the SQL special characters and to which character sequences they are encoded. Note that we do not use C-like encoding, so "\\" is not one escaped backslash, but two backslashes. Special character Changed To TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com NULL \0 " \" \ \\ ' \' The table above is relevant for most situations, however PHP supports a special mode where an alternative escape character is used. This is necessary for Sybase databases, where this special mode is enabled by using the option magic_quotes_sybase. When this parameter is set to 0, the default conversion table (above) is used. If you enable this option by setting magic_quotes_sybase to 1 (usually done in the configuration file of PHP), addslashes() will automatically use another conversion table, shown below: Special character Changed To NULL \0 ' '' The following example demonstrates how addslashes() can be used to encode raw data. The script outputs the raw data, stored in $raw, and the encoded representation, stored in $enc. <?php $raw = '\'test "characters": back\slash\''; $enc = addslashes($raw); echo "$raw\n"; echo "$enc\n"; ?> With magic_quotes_sybase = 0 we get the following output: 'test "characters": back\slash' \'test \"characters\": back\\slash\' With magic_quotes_sybase = 1 we get the following output: 'test "characters": back\slash' ''test "characters": back\slash'' Defining the Scope Magic quotes can be applied to two different data sources. By default, magic quotes are disabled for both data sources, but you can enable them separately in your configuration file. TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Flag name Scope Applied when magic_quotes_gpc data sent by the web client once on request startup, i.e. when the execution of your script begins magic_quotes_runtime data read from a file, returned by functions like exec(), from a SQL engine every time the script accesses runtime-generated data The first option, magic_quotes_gpc, causes data sent by the web client to be encoded. This applies to all key-value pairs, i.e. URLs, cookies and data from HTML forms that are sent to the server through a POST request. If you use PHP to handle file uploads, the files will be encoded as well. GPC ("Get, Post, Cookie") data refers to the information your browser sends with the request: ❑ "Get" means the query data in the URL (for example, in "http://wrox.com/sample.php?data=text" everything behind the "?" is Get data). ❑ "Post" refers to the data that is send to the server using the POST method. This is often used in <FORM>s, for example to submit larger texts to a server or to upload files. ❑ "Cookie" data is also sent by the client, it refers to the little pieces of information that are stored persistently on the client side. The second option, magic_quotes_runtime, refers to data that is read at run time, i.e. through explicit actions of your script. This can be: reading from a file, executing an external program through exec() or querying a SQL database. Applying Magic Quotes Remember that data passed to a SQL database needs to be converted first to avoid potential security problems. We will now look at automating this process in PHP. We have shown that you can manually encode data by using the addslashes() function. The following example creates a SQL INSERT command string and the encoding is performed through addslashes(). <?php $sql = "INSERT INTO table VALUES ('".addslashes($foo)."',".time().")"; ?> Note that we create a SQL command by concatenating the single pieces together. The complete SQL command is stored in the $sql variable for later reference. The string variable $foo is passed to the script by an external entity (for example a web browser). The above code has various problems. It is not very clean, confuses the reader and is hard to maintain. We pretend that the $foo variable is passed to the script by the web browser. Once we enable the magic_quotes_gpc feature of PHP, we can reduce the size of the code and make it easier to TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com understand. <?php $sql = "INSERT INTO table VALUES ('$foo',".time().")"; ?> By automating the conversion process, we ease the whole code. PHP now applies addslashes() on the data at request startup time, so that we can use this cleaner version of our previous example. It might be the case that you do not know where your script will run and whether magic_quotes_gpc is turned on. For this case, you can use the get_magic_quotes_gpc() function which returns 1 or 0, if the option is enabled or disabled, respectively. The previous example could be rewritten in the following way to detect the status of the magic_quotes_gpc option at runtime. <?php if(!get_magic_quotes_runtime()) { $foo = addslashes($foo); } $sql = "INSERT INTO table VALUES ('$foo',".time().")"; ?> Note that this is not very practical in large programs since it adds possibly redundant functionality and introduces additional overhead, increasing run time. It is generally a good idea to define an environment for your scripts. This should also specify whether it depends on any special features. Magic quotes are turned off by default in PHP, so they can be considered a special feature. Another area where the magic quotes feature can be useful is storing the output of an external program in a SQL table. The next example executes the vmstat command, available on many UNIX and Linux machines (this program is used to gain information about the virtual memory of the computer) and stores the last line of output of the command in a variable. It uses the PHP function get_magic_quotes_runtime() which performs a similar job as get_magic_quotes_gpc(), but queries the setting for magic_quotes_runtime instead of magic_quotes_gpc. Depending on the return value of this function, it applies addslashes() to the $out variable. Then, it creates a SQL command similar to that in our previous examples. <?php $out = exec("/usr/bin/vmstat"); if(!get_magic_quotes_runtime()) { $out = addslashes($out); } $sql = "INSERT INTO table VALUES ('$out', ".time().")"; ?> TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com We have presented traditional examples for the magic quotes feature of PHP. As mentioned previously, this feature is handy in situations where you deal exclusively with SQL. If you enable magic quotes for an application and want to output the unmodified data, you need to reverse the encoding process performed by addslashes(). This can be done by the stripslashes() function. The following example does exactly the same thing as the previous example, but additionally outputs the data stored in the $out variable to the browser. Before this can happen, it needs to decode $out. <?php $out = exec("/usr/bin/vmstat"); if(!get_magic_quotes_runtime()) { $out = addslashes($out); } $sql = "INSERT INTO table VALUES ('$out', ".time().")"; $out = stripslashes($out); echo "vmstat: $out<P>\n"; ?> This might become complex in situations where you have a dozen or more variables that need to be decoded. Doing this adds complexity and overhead to your scripts. In the next section we present therefore a useful alternative to the magic quotes approach. Two Helper Functions The following two functions will help you to automate the process of encoding and decoding values which are to be used in SQL queries. They do not assume any special context, so they will work with magic_quotes_gpc enabled or disabled. <?php // the names of the variables to be considered $variables = array("foo", "bar", "baz"); // 0 means currently decoded, 1 means currently encoded $mq_state = get_magic_quotes_gpc(); // a helper-helper function function perform_action($action) { global $variables; for($i = 0; $i < count($variables); $i++) { $key = $variables[$i]; $GLOBALS[$key] = $action($GLOBALS[$key]); } TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com } // call this function, if you want encoded values function magic_quotes_encode() { global $mq_state; if(!$mq_state) { perform_action("addslashes"); $mq_state = 1; } } // call this function, if you want decoded (original, raw) values function magic_quotes_decode() { global $mq_state; if($mq_state) { perform_action("stripslashes"); $mq_state = 0; } } ?> These functions allow you to declare a number of variables as input variables. The names of the variables are stored in the $variables array. Both functions use this array to determine which variables to change. The trick here is to maintain the current state of the variables. At the beginning, the state is undefined and we assign $mq_state the value of the option magic_quotes_gpc. This automatically gives us the correct value. A key role plays the perform_action() function. It applies an $action (which is the name of another function) to the global variables whose names are stored in the $variables array. To do that, it iterates over that array and applies the $action function on the global variables specified in the array. Our main helper functions are simple. They check the current state and apply a specific function by calling perform_action, if necessary. The following table summarizes the actions and possible states: $mq_state meaning magic_quotes_encode() does magic_quotes_decode() does 0 variables are decoded encodes the variables (applies addslashes()) nothing 1 variables are encoded nothing decodes the variables (applies stripslashes()) TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com If your application depends on magic_quotes_gpc turned on/off, you call either magic_quotes_encode() or magic_quotes_decode() at the beginning of your application, respectively (i.e. in a common include file). This will automatically lead to the state your application requires. Another way to utilize these functions is to split data handling and data output into separate modules. Before you enter the data handling module, you call magic_quotes_encode() to ensure that the necessary encoding has been performed. Before you enter the output module, you call magic_quotes_decode(). The following example could be a skeleton for such an application: <? \\ include the helper functions as well as the initial $mq_state include "magic_quotes.inc"; \\ these are the names of the variables we want to use $variables = array("action", "name"); \\ we are going to enter the data module, hence we need encoded values magic_quotes_encode(); handle_data(); \\ for displaying data, we need decoded values magic_quotes_decode(); handle_output(); ?> An Alternative Approach The magic quotes feature changes data transparently without explicit action by the user (besides enabling the option). Additionally, it requires the user to perform a decoding step to use the data for anything but SQL commands. This introduces overhead that should have been avoided initially by magic quotes. Therefore we want to present an alternative to magic quotes. Our goal is to create a flexible, customizable, and maintainable version of the code we presented earlier. It should not depend on magic quotes, but should still perform the encoding process for us. To achieve this, we make use of the sprintf() function which takes a format string and various number of arguments. <?php $sql = sprintf( "INSERT INTO table VALUES ". "('%s',%d)", addslashes($foo), time()); ?> TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The example demonstrates the approach of separating query language and data. The first argument (the format string) to sprintf() contains all query language elements. By using specifiers (i.e. "%s" for string, "%d" for integer) in the format string, we tell sprintf() to replace the n-th specifier with the n-th parameter after the format string. The advantage of this method is its clearness. You can easily adapt the whole statement to new needs, in the case that you need to add columns, change attribute names, or if you need to perform other maintenance work. It is more understandable to someone unfamiliar with the code and is easier to debug. It also does not rely on a mechanism that transparently changes data (magic_quotes_gpc changes data without your explicit action, besides activating the feature). Everything stays under your control. Summary In order to avoid security problems, input data has to be encoded before it is used in SQL queries. This can be achieved by using magic quotes or by encoding data separately using addslashes(). In this chapter, we showed how this encoding works, when magic quotes are applied, and which advantages and disadvantages magic quotes have. Additionally, we presented alternative ways to avoid the security problem. TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 22 Tem p late s Developing a whole web site can be a troublesome business. We will show how you can effectively use templates to speed up development, to reduce the amount of code, and to achieve a higher level of overall flexibility and consistency throughout the whole site. Common template techniques Templates can be used if you are administering a site that frequently reuses certain sections. In the context of PHP, templates refer to HTML. Without using templates, a complex web site is hard to structure. To produce output, various template techniques exist which can be useful in a number of circumstances. We present an overview of frequently used techniques which we will detail later in this chapter. Template techniques Name Code/ HTML mixed HTML structure defined in PHP Advantages Disadvantages Useful for Embedded PHP Yes Yes Fast and easy Leads to unreadable scripts, no reuse of existing code, hard to maintain Quick and small scripts Separating common parts Yes No (partially) Fast and easy, reuse of certain parts Leads to unreadable scripts, often hard to Web sites with LOC < TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... this idea to our embedded PHP example and split it into two files The first one contains two functions that display an HTML header and footer < ?php # prepend.inc function CommonHeader($title) { ?> < ?php echo $title ?> < ?php echo $title ?> < ?php } function CommonFooter() { ?> < ?php } ?> This file can be... TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com utility sends the SQL commands to the MySQL server, and prints the result of the SQL command in the command line Database User One database user php is created for the shopping cart application All the PHP scripts in the middle tier connect to the back-end database as user php The user php has all the privileges... this, if you use the auto_prepend feature < ?php include "prepend.inc"; ?> < ?php CommonHeader("power"); ?> i i^i < ?php for($i = 0; $i < 10; $i++) { echo "$i".pow($i,$i)."\n"; } ?> < ?php CommonFooter(); ?> You see that this technique addresses one important disadvantage of the embedded PHP method It is easy to create reusable parts,... PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com The template could be the top-level template for almost every site It contains two variables ({TITLE} and {CONTENT}), which are filled in when you tell FastTemplate to parse the toplevel template The rest is pure HTML To create output and to fill in values, some PHP action is required < ?php include "class.FastTemplate .php" ; #... scripts by using PHP' s auto_prepend feature By assigning a filename in PHP' s configuration file to the auto_prepend option, PHP will evaluate the assigned file first, before executing the individual script The CommonHeader() function takes one argument, the title of the page, and prints out the HTML TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Header CommonFooter()... result of 2^exponent {ROWS} The script that binds this together follows: < ?php require "class.FastTemplate .php" ; $tpl = new FastTemplate("."); $tpl->define(array( "row" => "row.tpl", "table" => "table.tpl" TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com )); for($i = 0; $i < 16; $i++) { $result = pow(2, $i); $tpl->assign(array( "EXPONENT"... The second function is PageFinish() The basic version of it parses the last (GLOBAL, main) template and prints it using $tpl->FastPrint() < ?php # We assume that you use PHP' s auto_prepend feature # Otherwise, you need to include prepend .php: # include "prepend .php" ; PageStart(); for($i = 0; $i < 16; $i++) { $result = pow(2, $i); $tpl->assign(array( "EXPONENT" => $i, "RESULT" => $result )); $tpl->parse("ROWS",... Embedding PHP into HTML ❑ Separating common parts into PHP functions ❑ Using FastTemplate The first one is the basic technique, which allows writing PHP scripts quickly The second one adds logic to the template approach, but still does not differentiate between HTML and code Then we introduce the reader to FastTemplate, which separates between logic and representation TEAM FLY PRESENTS Simpo PDF Merge... flow chart given below describes the complete interaction of the user with the shopping cart application TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Design of the Shopping Cart Application In this section, we will consider the database structure for our application,... column and a corresponding row in either music_shop or book_shop with the same value of item_no column TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com To create our database and tables, we can use the following SQL commands: mysql> CREATE DATABASE shop ; mysql> CONNECT . $tpl->FastPrint(). < ?php # We assume that you use PHP& apos;s auto_prepend feature. # Otherwise, you need to include prepend .php: # include "prepend .php& quot;; PageStart();. TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com understand. < ?php $sql = "INSERT INTO table VALUES ('$foo',".time().")";. TEAM FLY PRESENTS Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com We have presented traditional examples for the magic quotes feature of PHP. As mentioned previously,