TIMELY. PRACTICAL. RELIABLE. Mohammed J. Kabir Secure PHP Development Wiley Technology Publishing Timely. Practical. Reliable. Your in-depth guide to designing and developing secure PHP applications You’ll learn how to: • Implement the featured applica- tions in business environments such as intranets, Internet Web sites, and system administrations • Develop e-mail and intranet solutions using PHP • Determine the importance of cer- tain coding practices, coding styles, and coding security requirements • Follow the entire process of each PHP application life cycle from requirements, design, and develop- ment to maintenance and tuning. • Use PHP in groupware, document management, issue tracking, bug tracking, and business applications • Mature as a PHP developer by using software practices as part of your design, development, and software life cycle decisions • Improve the performance of PHP applications Programming and Software Development/Security $50.00 USA/$77.95 CAN/£34.95 UK It’s a hacker’s dream come true: over one million Web sites are now vulnerable to attack through recently discovered flaws in the PHP scripting language. So how do you protect your site? In this book, bestselling author Mohammed Kabir provides all the tools you’ll need to close this security gap. He presents a collection of 50 secure PHP applications that you can put to use immediately to solve a variety of practical problems. And he includes expert tips and techniques that show you how to write your own secure and efficient applications for your organization. Visit our Web site at www.wiley.com/compbooks/ Secure PHP Development Kabir ISBN: 0-7645-4966-9 INCLUDES CD-ROM MOHAMMED J. KABIR is the founder and CEO of Evoknow, Inc., a company specializing in customer relationship manage- ment software development. His previous books include Red Hat ® Security and Optimization, Red Hat ® Linux ® 7 Server, Red Hat ® Linux ® Administrator’s Handbook, Red Hat ® Linux ® Survival Guide, and Apache 2 Server Bible (all from Wiley). ,!7IA7G4-fejggd!:P;P;k;k;k *85555-BBDACc Building 50 Practical Applications The companion CD-ROM contains: • 50 ready-to-use PHP applications • Searchable e-version of the book • The latest versions of PHP, Apache, and MySQL ™ 549669 Cover_rb2.qxp 3/19/03 10:39 AM Page 1 Secure PHP Development: Building 50 Practical Applications 01549669 FM.qxd 4/4/03 9:23 AM Page i 01549669 FM.qxd 4/4/03 9:23 AM Page ii Secure PHP Development: Building 50 Practical Applications Mohammed J. Kabir 01549669 FM.qxd 4/4/03 9:23 AM Page iii Secure PHP Development: Building 50 Practical Applications Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2003 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 0-7645-4966-9 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1B/SU/QU/QT/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-Mail: permcoordinator@wiley.com. is a trademark of Wiley Publishing, Inc. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONAL WHERE APPROPRIATE. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data Library of Congress Control Number: 2003101844 Trademarks: Wiley, the Wiley Publishing logo, and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. 01549669 FM.qxd 4/4/03 9:23 AM Page iv Credits SENIOR ACQUISITIONS EDITOR Sharon Cox ACQUISITIONS EDITOR Debra Williams Cauley PROJECT EDITOR Sharon Nash DEVELOPMENT EDITORS Rosemarie Graham Maryann Steinhart TECHNICAL EDITORS Richard Lynch Bill Patterson COPY EDITORS Elizabeth Kuball Luann Rouff EDITORIAL MANAGER Mary Beth Wakefield VICE PRESIDENT & EXECUTIVE GROUP PUBLISHER Richard Swadley VICE PRESIDENT AND EXECUTIVE PUBLISHER Bob Ipsen VICE PRESIDENT AND PUBLISHER Joseph B. Wikert EXECUTIVE EDITORIAL DIRECTOR Mary Bednarek PROJECT COORDINATOR Dale White GRAPHICS AND PRODUCTION SPECIALISTS Beth Brooks Kristin McMullan Heather Pope QUALITY CONTROL TECHNICIANS Tyler Connoley David Faust Andy Hollandbeck PROOFREADING AND INDEXING TECHBOOKS Production Services 01549669 FM.qxd 4/4/03 9:23 AM Page v About the Author Mohammed J. Kabir is CEO and founder of EVOKNOW, Inc. His company (www.evoknow.com) develops software using LAMP (Linux, Apache, MySQL, and PHP), Java, and C++. It specializes in custom software development and offers security consulting services to many companies around the globe. When he is not busy managing software projects or writing books, Kabir enjoys riding mountain bikes and watching sci-fi movies. Kabir studied computer engi- neering at California State University, Sacramento, and is also the author of Apache Server 2 Bible, Apache Server Administrator’s Handbook, and Red Hat Server 8. You can contact Kabir via e-mail at kabir@evoknow.com or visit the book’s Web site at http://www.evoknow.com/publications/books/phpbook.php. 01549669 FM.qxd 4/4/03 9:23 AM Page vi Preface Welcome to Secure PHP Development: Building 50 Practical Applications. PHP has come a long way since its first incarnation as a Perl script. Now PHP is a pow- erful Web scripting language with object-oriented programming support. Slowly but steadily it has entered the non-Web scripting arena often reserved for Perl and other shell scripting languages. Arguably, PHP is one of the most popular Web plat- forms. In this book you will learn about how to secure PHP applications, how to develop and use an application framework to develop many useful applications for both Internet and intranet Web sites. Is This Book for You? This is not a PHP language book for use as reference. There are many good PHP language books out there. This book is designed for intermediate- to advanced- level PHP developers who can review the fifty PHP applications developed for this book and deploy them as is or customize them as needed. However, it is entirely possible for someone with very little PHP background to deploy the applications developed for this book. Therefore, even if you are not currently a PHP developer, you can make use of all the applications with very little configuration changes. If you are looking for example applications that have defined features and implementation requirements, and you want to learn how applications are devel- oped by professional developers, this book a great starting point. Here you will find numerous examples of applications that have been designed from the ground up using a central application framework, which was designed from scratch for this book. The book shows developers how PHP applications can be developed by keeping security considerations in focus and by taking advantage of an object-oriented approach to PHP programming whenever possible to develop highly maintainable, extensible applications for Web and intranet use. How This Book Is Organized The book is organized into seven parts. Part I: Designing PHP Applications Part I is all about designing practical PHP applications while understanding and avoiding security risks. In this part, you learn about practical design and imple- mentation considerations, best practices, and security risks and the techniques you can take to avoid them. vii 01549669 FM.qxd 4/4/03 9:23 AM Page vii Part II: Developing Intranet Solutions Part II introduces you to the central application framework upon which almost all the Web and intranet applications designed and developed for this book are based. The central application framework is written as a set of object-oriented PHP classes. Using this framework of classes, you are shown how to develop a set of intranet applications to provide central authentication, user management, simple document publishing, contact management, shared calendar, and online help for your intranet users. Because all of the applications in this part of the book are based on the core classes discussed in the beginning of the book, you will see how that architecture works very well for developing most common applications used in modern intranets. Part III: Developing E-mail Solutions Part III deals with e-mail applications. These chapters describe a suite of e-mail applications such as Tell-a-Friend applications, e-mail-based survey applications, and a MySQL database-driven e-mail campaign system that sends, tracks, and reports e-mail campaigns. Part IV: Using PHP for Sysadmin Tasks Part IV focuses on demonstrating how PHP can become a command-line scripting platform for managing many system administration tasks. In these chapters, you learn to work with many command-line scripts that are designed for small, specific tasks and can be run automatically via Cron or other scheduling facilities. Applications developed in this part include the Apache virtual host configuration generator, the BIND zone generator, a multi-user e-mail reminder tool, a POP3 spam filtering tool, a hard disk partition monitoring tool, a system load monitoring tool, and more. Part V: Internet Applications In Part V, you learn how to develop a generic Web form management application suite and a voting (poll) application for your Web site. Because Web form manage- ment is the most common task PHP performs, you will learn a general-purpose design that shows you how PHP can be used to centralize data collection from Web visitors, a critical purpose of most Web sites. Part VI: Tuning and Securing PHP Applications In this part, you learn ways to fine-tune your PHP applications for speed and secu- rity. You will learn how to benchmark your applications, and cache your applica- tion output and even application opcode. You will also learn to protect your applications using various security measures involving PHP development and the Apache Web server platform. viii Preface 01549669 FM.qxd 4/4/03 9:23 AM Page viii [...]... 710 Part VI Tuning and Securing PHP Applications Chapter 21 Speeding Up PHP Applications 713 Chapter 22 Benchmarking Your PHP Application 714 Benchmarking your code 714 Avoiding bad loops 718 Stress-testing your PHP applications using ApacheBench 722 Buffering Your PHP Application Output... the applications are easy to update in terms of look and feel To understand the power of external HTML user-interface templates, carefully examine the code in Listing 1- 1 and Listing 1- 2 Listing 1- 1: A PHP Script with Embedded User Interface < ?php // Turn on all error reporting error_reporting(E_ALL); Continued 5 03 549669 ch 01. qxd 6 4/4/03 9:24 AM Page 6 Part I: Designing PHP Applications Listing 1- 1... 91 Creating a Sample Application 11 3 Summary 11 9 Central Authentication System 12 1 How the System Works 12 1 Creating an Authentication Class 12 4 Creating the Central Login Application 12 7 Creating the Central Logout Application 13 8 Creating... Chapter 1 Chapter 2 Chapter 3 Features of Practical PHP Applications 3 Understanding and Avoiding Security Risks 25 PHP Best Practices 41 Part II Developing Intranet Solutions Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter Chapter 4 5 6 7 8 9 10 11 12 Architecture of an Intranet Application 65 Central Authentication System 12 1... and Avoiding Security Risks CHAPTER 3 PHP Best Practices 02 549669 PP 01. qxd 4/4/03 9:23 AM Page 2 03 549669 ch 01. qxd 4/4/03 9:24 AM Page 3 Chapter 1 Features of Practical PHP Applications IN THIS CHAPTER ◆ Exploring the features of a practical PHP application ◆ Putting the features to work in applications PHP BEGAN AS A PERSONAL home page scripting tool Today PHP is widely used in both personal and... 8 81 015 49669 FM.qxd 4/4/03 9:23 AM Page xiv 015 49669 FM.qxd 4/4/03 9:23 AM Page xv Contents Preface vii Acknowledgments xi Part I Designing PHP Applications Chapter 1 Features of Practical PHP Applications 3 Chapter 2 Chapter 3 Features of a Practical PHP Application 3 Employing the Features in Applications. .. 507 Part IV Using PHP for Sysadmin Tasks Chapter 16 Chapter 17 Chapter 18 Command-Line PHP Utilities 559 Apache Virtual Host Maker 607 BIND Domain Manager 6 41 Part V Internet Applications Chapter 19 Chapter 20 xii Developing E-mail Solutions Web Forms Manager 6 61 Web Site Tools 697 015 49669... 753 PHP Primer 757 MySQL Primer 763 Linux Primer 7 81 Index 833 Wiley Publishing, Inc End-User License Agreement 8 81 02 549669 PP 01. qxd 4/4/03 9:23 AM Page 1 Part I Designing PHP Applications CHAPTER 1 Features of Practical PHP Applications. .. cases, PHP is introduced in a corporation because of its speed, absence of license fees, and fast development cycle The last reason (fast development cycle) is often misleading There is no question that PHP development is often faster than other Web -development platforms like Java However, the reasons for PHP development s faster cycle are often questioned by serious non -PHP developers They claim that PHP. .. most PHP applications are deployed via the Web, it’s important to make the applications easy to install by making the required directory structure as portable as possible In most cases, the PHP application will run from a directory of its own inside the Web document root directory 03 549669 ch 01. qxd 4/4/03 9:24 AM Page 5 Chapter 1: Features of Practical PHP Applications Employing the Features in Applications . Cover_rb2.qxp 3 /19 /03 10 :39 AM Page 1 Secure PHP Development: Building 50 Practical Applications 015 49669 FM.qxd 4/4/03 9:23 AM Page i 015 49669 FM.qxd 4/4/03 9:23 AM Page ii Secure PHP Development: Building. PHP Development: Building 50 Practical Applications Mohammed J. Kabir 015 49669 FM.qxd 4/4/03 9:23 AM Page iii Secure PHP Development: Building 50 Practical Applications Published by Wiley Publishing, Inc. 10 475. at http://www.evoknow.com/publications/books/phpbook .php. 015 49669 FM.qxd 4/4/03 9:23 AM Page vi Preface Welcome to Secure PHP Development: Building 50 Practical Applications. PHP has come a long way since