LinuxAnswers DiscussionThis forum is to discuss articles posted to LinuxAnswers.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
PHP is a poweful language for developing web-sites. Many sites on the net using it as a core.
And, of course, any power can be used in both ways. When most beginner(and even not beginner already) programmers create websites with some input forms, they usually never think about security here.
Really good article, I hope a lot of people read and follow it. The number one problem I see with php apps that get exploited is lack of sanitized inputs for databases (injection). The only thing that scares me more than unsanitized database inputs are unsanitized inputs used in system calls... someone killing the database or injecting things you don't want is bad news, someone wiping out or root kiting your server out is worse news.
Oh yes, shell commands injection is the worst. I forgot to add it.
I've seen much of those vulnerabilities, but it actually points more to PHP security itself(configuring PHP), rather than coding. Of course, it's the same rule again: don't trust user inputs. But here you gotta be more restrictive, in case you allow shell_exec(), etc, you shall not pass anything taken from user input to shell at all, until you know what are you doing.
I have it disabled everywhere and I suggest everyone do the same, disable all dangerous functions of PHP. If you need shell to act in your applications, use either standalone daemon or cron, that will verify and execute pending tasks from a shared file. Be sure to apply this rule "don't trust user inputs" everywhere.
Really good article indeed.
For those that want to go even deeper into this subject, I suggest you get a look at OWASP (http://www.owasp.org/). Even though it is not specially for PHP, it gives good examples of what to do and what to avoid and an excellent framework for developing secure applications.
And again, DON'T TRUST USER INPUT !
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.