Pro PHP Security

■■■

Chris Snyder and Michael Southwell

Pro PHP Security
Copyright © 2005 by Chris Snyder and Michael Southwell
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
ISBN (pbk): 1-59059-508-4
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1
Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence
of a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademark
owner, with no intention of infringement of the trademark.
Lead Editor: Jason Gilmore
Technical Reviewer: Timothy Boronczyk
Editorial Board: Steve Anglin, Dan Appleman, Ewan Buckingham, Gary Cornell, Tony Davis, Jason Gilmore,
Jonathan Hassell, Chris Mills, Dominic Shakeshaft, Jim Sumser
Associate Publisher: Grace Wong

Project Manager: Beth Christmas
Copy Edit Manager: Nicole LeClerc
Copy Editor: Ami Knox
Assistant Production Director: Kari Brooks-Copony
Production Editor: Katie Stence
Compositors: Susan Glinert and Pat Christenson
Proofreader: April Eddy
Indexer: Michael Brinkman
Artist: Wordstop Technologies Pvt. Ltd., Chennai
Interior Designer: Van Winkle Design Group
Cover Designer: Kurt Krames
Manufacturing Director: Tom Debolski
Distributed to the book trade worldwide by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor,
New York, NY 10013. Phone 1-800-SPRINGER, fax 201-348-4505, e-mail `cUVcd_j1dacZ_XVcdS^T`^, or
visit Yeea+ hhhdacZ_XVc`_]Z_VT`^.
For information on translations, please contact Apress directly at 2560 Ninth Street, Suite 219, Berkeley, CA
94710. Phone 510-549-5930, fax 510-549-5939, e-mail Z_W`1RacVddT`^, or visit Yeea+ hhhRacVddT`^.
The information in this book is distributed on an “as is” basis, without warranty. Although every precaution
has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to
any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly

by the information contained in this work.
The source code for this book is available to readers at Yeea+

hhhRacVddT`^ in the Downloads section.

Contents at a Glance
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

PART 1
CHAPTER 1

PART 2
CHAPTER 2
CHAPTER 3
CHAPTER 4
CHAPTER 5
CHAPTER 6

CHAPTER 7
CHAPTER 8
CHAPTER 9
CHAPTER 10

PART 3
CHAPTER 11
CHAPTER 12
CHAPTER 13
CHAPTER 14
CHAPTER 15
CHAPTER 16

■■■

The Importance of Security

Why Is Secure Programming a Concern? . . . . . . . . . . . . . . . . . . . . . . . 3
■■■

Maintaining a Secure Environment

Dealing with Shared Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Maintaining Separate Development and Production
Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Keeping Software Up to Date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Using Encryption I: Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Using Encryption II: Practice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Securing Network Connections I: SSL . . . . . . . . . . . . . . . . . . . . . . . . 109
Securing Network Connections II: SSH . . . . . . . . . . . . . . . . . . . . . . . 139
Controlling Access I: Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 175
Controlling Access II: Permissions and Restrictions . . . . . . . . . . . 209
■■■

Practicing Secure PHP Programming

Validating User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Preventing SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Preventing Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Preventing Remote Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281

Enforcing Security for Temporary Files . . . . . . . . . . . . . . . . . . . . . . . 303
Preventing Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
iii

iv

■C O N T E N T S A T A G L A N C E

PART 4
CHAPTER 17
CHAPTER 18
CHAPTER 19
CHAPTER 20
CHAPTER 21
CHAPTER 22
CHAPTER 23
CHAPTER 24

■■■

Practicing Secure Operations

Allowing Only Human Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Verifying Your Users’ Identities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Using Roles to Authorize Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
Adding Accountability to Track Your Users . . . . . . . . . . . . . . . . . . . . 377
Preventing Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Safely Executing System Commands . . . . . . . . . . . . . . . . . . . . . . . . . 419
Handling Remote Procedure Calls Safely . . . . . . . . . . . . . . . . . . . . . 455
Taking Advantage of Peer Review . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467

INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

Contents
About the Authors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxiii

PART 1

■■■

■CHAPTER 1

The Importance of Security

Why Is Secure Programming a Concern?

.................3

What Is Computer Security? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Why Absolute Computer Security Is Impossible . . . . . . . . . . . . . . . . . . . . . 4
What Kinds of Attacks Are Web Applications Vulnerable To? . . . . . . . . . . 4
When Users Provide Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
When Information Is Provided to Users . . . . . . . . . . . . . . . . . . . . . . . . 8
In Other Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

PART 2

■■■

■CHAPTER 2

Maintaining a Secure Environment

Dealing with Shared Hosts

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

What Are the Dangers of Shared Hosting? . . . . . . . . . . . . . . . . . . . . . . . . 14
An Inventory of Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Minimizing System-level Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
A Reasonable Standard of Protection for Multiuser Hosts . . . . . . . . . . . . 18
Allow No Shells . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Set Aggressive Database Permissions . . . . . . . . . . . . . . . . . . . . . . . . 19
Practice Translucency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Compile Your Configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Keep Local Copies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Back Up Your Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Virtual Machines: A Safer Alternative to Traditional Virtual Hosting . . . . 21

v

vi

■C O N T E N T S

Shared Hosts from a System Administrator’s Point of View . . . . . . . . . . 22
Add a User for Each Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Fill Out the Filesystem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Sample Apache Virtual Host Configuration . . . . . . . . . . . . . . . . . . . . 23
Create a Secure Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Restrict Access to VFS Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

■CHAPTER 3

Maintaining Separate Development and Production

Environments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Why Separate Development and Production Servers? . . . . . . . . . . . . . . . 27
Effective Production Server Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

■CHAPTER 4

Keeping Software Up to Date

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Installing Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Packages and Ports vs. Building by Hand . . . . . . . . . . . . . . . . . . . . . 41
Compiling by Hand . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Updating Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Keeping Apache and PHP Easily Updatable . . . . . . . . . . . . . . . . . . . . 48
Monitoring Version Revisions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
Recompiling After Updating Libraries . . . . . . . . . . . . . . . . . . . . . . . . . 51
Using a Gold Server to Distribute Updates . . . . . . . . . . . . . . . . . . . . . 52
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

■CHAPTER 5

Using Encryption I: Theory

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

Encryption vs. Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Hashing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Algorithm Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
A Note on Password Strength . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Recommended Encryption Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Symmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Diffie-Hellman-Merkle Key Exchange . . . . . . . . . . . . . . . . . . . . . . . . . 63
Asymmetric Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Email Encryption Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

■C O N T E N T S

Recommended Hash Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
CRC32 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
MD5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
SHA-1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
DSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
New Hashing Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Related Algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
base64 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
XOR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Random Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Blocks, Modes, and Initialization Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Streams and Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Initialization Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
US Government Restrictions on Exporting Encryption Algorithms . . . . . . 73
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

■CHAPTER 6

Using Encryption II: Practice

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Protecting Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Protecting Sensitive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Symmetric Encryption in PHP: The PFU\SW Functions . . . . . . . . . . 80
Asymmetric Encryption in PHP: RSA and the
OpenSSL Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Verifying Important or At-risk Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Verification Using Digests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
Verification Using Signatures. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

■CHAPTER 7

Securing Network Connections I: SSL . . . . . . . . . . . . . . . . . . . 109
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Secure Sockets Layer. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Transport Layer Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
The SSL Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Providing SSL on Your Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
HTTP Over SSL: Apache’s PRGBVVO . . . . . . . . . . . . . . . . . . . . . . . . 116
Obtaining a Server Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123
Application-level SSL Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

vii

viii

■C O N T E N T S

Connecting to SSL Servers Using PHP . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
PHP’s Streams, Wrappers, and Transports . . . . . . . . . . . . . . . . . . . 128
The SSL and TLS Transports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
The HTTPS Wrapper . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
The FTP and FTPS Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Secure IMAP and POP Support Using TLS Transport . . . . . . . . . . . 137
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

■CHAPTER 8

Securing Network Connections II: SSH . . . . . . . . . . . . . . . . . . 139
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
The Original Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
Secure Shell Protocol Versions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
Secure Shell Authentication with Pluggable
Authentication Modules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
Using OpenSSH for Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
Installation and Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
SSH Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Using SSH with Your PHP Applications. . . . . . . . . . . . . . . . . . . . . . . 161
The Value of Secure Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Should I Use SSL or SSH? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

■CHAPTER 9

Controlling Access I: Authentication

. . . . . . . . . . . . . . . . . . . . 175

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
HTTP Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
HTTP Basic Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
HTTP Digest Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Two-factor Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Certificate-based Authentication Using HTTPS . . . . . . . . . . . . . . . . 187
Using One-Time Keys for Authentication . . . . . . . . . . . . . . . . . . . . . 194
Single Sign-On Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
Kerberos . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Building Your Own Single Sign-On System . . . . . . . . . . . . . . . . . . . 195
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

■C O N T E N T S

■CHAPTER 10 Controlling Access II: Permissions and Restrictions . . . 209
Unix Filesystem Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
An Introduction to Unix Permissions . . . . . . . . . . . . . . . . . . . . . . . . . 209
Manipulating Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Shared Group Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
PHP Tools for Working with File Access Controls . . . . . . . . . . . . . . 215
Keeping Developers (and Daemons) in Their Home Directories . . 215
Protecting the System from Itself . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Resource Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
Disk Quotas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
PHP’s Own Resource Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Protecting Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 218
Database Filesystem Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . 219
Controlling Database Access: Grant Tables . . . . . . . . . . . . . . . . . . . 219
Hardening a Default MySQL Installation . . . . . . . . . . . . . . . . . . . . . . 220
Grant Privileges Conservatively . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
Avoid Unsafe Networking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
REALLY Adding Undo with Regular Backups . . . . . . . . . . . . . . . . . . 222
PHP Safe Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
How Safe Mode Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
Other Safe Mode Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Safe Mode Alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

PART 3

■■■

Practicing Secure
PHP Programming

■CHAPTER 11 Validating User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
What to Look For . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Input Containing Metacharacters . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
Wrong Type of Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Too Much Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
Abuse of Hidden Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232
Input Bearing Unexpected Commands . . . . . . . . . . . . . . . . . . . . . . . 232

ix

x

■C O N T E N T S

Strategies for Validating User Input in PHP . . . . . . . . . . . . . . . . . . . . . . . 233
Secure PHP’s Inputs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
Allow Only Expected Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Check Input Type, Length, and Format . . . . . . . . . . . . . . . . . . . . . . 236
Sanitize Values Passed to Other Systems . . . . . . . . . . . . . . . . . . . . 241
Testing Input Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247

■CHAPTER 12 Preventing SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
What SQL Injection Is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
How SQL Injection Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
PHP and MySQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Kinds of User Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Kinds of Injection Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Multiple-query Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Preventing SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Demarcate Every Value in Your Queries . . . . . . . . . . . . . . . . . . . . . . 255
Check the Types of Users’ Submitted Values . . . . . . . . . . . . . . . . . 255
Escape Every Questionable Character in Your Queries . . . . . . . . . 256
Abstract to Improve Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
Full Abstraction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Test Your Protection Against Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

■CHAPTER 13 Preventing Cross-Site Scripting . . . . . . . . . . . . . . . . . . . . . . . . . 263
How XSS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
Scripting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Categorizing XSS Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265
A Sampler of XSS Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
HTML and CSS Markup Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
JavaScript Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Forged Action URIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Forged Image Source URIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
Extra Form Baggage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Other Attacks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

■C O N T E N T S

Preventing XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
SSL Does Not Prevent XSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 271
Strategies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Test for Protection Against XSS Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

■CHAPTER 14 Preventing Remote Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
How Remote Execution Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
The Dangers of Remote Execution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Injection of PHP Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
Embedding of PHP Code in Uploaded Files . . . . . . . . . . . . . . . . . . . 283
Injection of Shell Commands or Scripts . . . . . . . . . . . . . . . . . . . . . . 285
Strategies for Preventing Remote Execution . . . . . . . . . . . . . . . . . . . . . . 287
Limit Allowable Filename Extensions for Uploads . . . . . . . . . . . . . . 288
Store Uploads Outside of Web Document Root . . . . . . . . . . . . . . . . 288
Allow Only Trusted, Human Users to Import Code . . . . . . . . . . . . . 289
Sanitize Untrusted Input to HYDO . . . . . . . . . . . . . . . . . . . . . . . . . 289
Do Not Include PHP Scripts from Remote Servers . . . . . . . . . . . . . 293
Properly Escape All Shell Commands . . . . . . . . . . . . . . . . . . . . . . . . 294
Beware of SUHJBUHSODFH Patterns with the H Modifier . . . . . 298
Testing for Remote Execution Vulnerabilities . . . . . . . . . . . . . . . . . . . . . 301
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

■CHAPTER 15 Enforcing Security for Temporary Files . . . . . . . . . . . . . . . . . 303
The Functions of Temporary Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Characteristics of Temporary Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Locations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Permanence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Risks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
Preventing Temporary File Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
Make Locations Difficult . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Make Permissions Restrictive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Write to Known Files Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311
Read from Known Files Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Checking Uploaded Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
Test Your Protection Against Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

xi

xii

■C O N T E N T S

■CHAPTER 16 Preventing Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
How Persistent Sessions Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
PHP Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
Abuse of Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318
Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
Fixation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
Preventing Session Abuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Use Secure Sockets Layer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
Use Cookies Instead of B*(7 Variables . . . . . . . . . . . . . . . . . . . . . 323
Use Session Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Regenerate IDs for Users with Changed Status . . . . . . . . . . . . . . . 324
Take Advantage of Code Abstraction . . . . . . . . . . . . . . . . . . . . . . . . 325
Ignore Ineffective Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325
Test for Protection Against Session Abuse . . . . . . . . . . . . . . . . . . . . . . . 326
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

PART 4

■■■

Practicing Secure Operations

■CHAPTER 17 Allowing Only Human Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331
Kinds of Captchas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
Text Image Captchas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Audio Captchas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334
Cognitive Captchas . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Creating an Effective Captcha Test Using PHP . . . . . . . . . . . . . . . . . . . . 336
Let an External Web Service Manage the Captcha for You . . . . . . 336
Creating Your Own Captcha Test . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
Attacks on Captcha Challenges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
Potential Problems in Using Captchas . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Hijacking Captchas Is Relatively Easy . . . . . . . . . . . . . . . . . . . . . . . 345
The More Captchas Are Used, the Better AI Attack Scripts
Get at Reading Them . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Generating Captchas Requires Time and Memory . . . . . . . . . . . . . 345
Captchas That Are Too Complex May Be Unreadable
by Humans . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
Even Relatively Straightforward Captchas May Fall Prey to
Unforeseeable User Difficulties . . . . . . . . . . . . . . . . . . . . . . . . . . 346
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

■C O N T E N T S

■CHAPTER 18 Verifying Your Users’ Identities . . . . . . . . . . . . . . . . . . . . . . . . . 347
Identity Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347
Who Are the Abusers? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Spammers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
Scammers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
Griefers and Trolls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
Using a Working Email Address for Identity Verification . . . . . . . . . . . . . 350
Verify the Working Mailbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
Verifying Receipt with a Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351
When a Working Mailbox Isn’t Enough . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Requiring an Online Payment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Verifying a Physical Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
Using Short Message Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
Requiring a Verified Digital Signature . . . . . . . . . . . . . . . . . . . . . . . . 356
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 357

■CHAPTER 19 Using Roles to Authorize Actions . . . . . . . . . . . . . . . . . . . . . . . . 359
Application Access Control Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
Separate Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 360
User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
User Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Adding Content Sharing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Roles-based Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Authorization Based on Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
What Roles Look Like . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
The Name of the Role . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Location, Location, Location . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Taking Action . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Role Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Making RBAC Work . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Administrative Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Parts of the Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Approaches to Checking Badges . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375

xiii

xiv

■C O N T E N T S

■CHAPTER 20 Adding Accountability to Track Your Users . . . . . . . . . . . . . 377
A Review of System-level Accountability . . . . . . . . . . . . . . . . . . . . . . . . . 378
Basic Application Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Essential Logging Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Ensuring That the Logging Succeeds . . . . . . . . . . . . . . . . . . . . . . . . 379
A Sample Application Logging Class in PHP . . . . . . . . . . . . . . . . . . 380
Specialized Application Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Business Logic Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
Database Modification Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . 388
Subrequest Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389
Response Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Full-state Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 390
Generating Usage Reports . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Important Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
Periodic Summaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392
On-demand Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Displaying Log Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 398

■CHAPTER 21 Preventing Data Loss . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 399
Preventing Accidental Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 400
Adding a Locked Flag to a Table . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
Adding a Confirmation Dialog Box to an Action . . . . . . . . . . . . . . . . 401
Avoiding Record Deletion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
Adding a Deleted Flag to a Table . . . . . . . . . . . . . . . . . . . . . . . . . . . 405
Creating Less-privileged Database Users . . . . . . . . . . . . . . . . . . . . 405
Enforcing the Deleted Field in 6(/(&7 Queries . . . . . . . . . . . . . . . 406
Providing an Undelete Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Versioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Table Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408
Insert, Then Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410
Creating a Versioned Database Filestore . . . . . . . . . . . . . . . . . . . . . . . . . 411
A Realistic PHP Versioning System . . . . . . . . . . . . . . . . . . . . . . . . . . 412
Garbage Collection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413
Other Means of Versioning Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

■C O N T E N T S

■CHAPTER 22 Safely Executing System Commands . . . . . . . . . . . . . . . . . . . 419
Dangerous Operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419
Root-Level Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420
Resource-Intensive Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421
Making Dangerous Operations Safe . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
Create an API for Root-Level Operations . . . . . . . . . . . . . . . . . . . . . 422
Queue Resource-Intensive Operations . . . . . . . . . . . . . . . . . . . . . . . 423
Implementation Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433
Handling Resource-Intensive Operations with a Queue . . . . . . . . . 433
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453

■CHAPTER 23 Handling Remote Procedure Calls Safely . . . . . . . . . . . . . . . 455
RPC and Web Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
Keeping a Web Services Interface Secure . . . . . . . . . . . . . . . . . . . . . . . . 457
Provide a Simple Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 457
Limiting Access to Web APIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Making Subrequests Safely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Handle Network Timeouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Cache Subrequests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Make Sure Your HTTP Headers Are Well-Formed . . . . . . . . . . . . . . 462
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466

■CHAPTER 24 Taking Advantage of Peer Review . . . . . . . . . . . . . . . . . . . . . . 467
The Bazaar Model for Software Development . . . . . . . . . . . . . . . . . . . . . 467
Security Benefits of Open Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Open Source Practicalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Code Sharability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Open Source Licensing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Open Source Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Maintaining Open Source Code . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
Commercial and Shareware Open Source Code . . . . . . . . . . . . . . . 472

xv

xvi

■C O N T E N T S

Effective Bug Reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Do Not Insult the Developer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Make Sure That Your Bug Is New . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Provide Enough Information to Be Helpful . . . . . . . . . . . . . . . . . . . . 474
Propose Concise Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Write Your Report Clearly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Make the Effort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Other Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
Applying Open Source Principles to This Book . . . . . . . . . . . . . . . . . . . . 476

■INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479

About the Authors

■CHRIS SNYDER is a software engineer at Fund for the City of New York, where he helps develop
next-generation websites and services for nonprofit organizations. He is a member of the
Executive Board of New York PHP, and has been looking for new ways to build scriptable, linked,
multimedia content since he saw his first Hypercard stack in 1988.

■MICHAEL SOUTHWELL is a retired English professor who has been developing websites for more
than ten years in the small business, nonprofit, and educational areas, with special interest in
problems of accessibility. He has authored and co-authored eight books and numerous articles
about writing, writing and computers, and writing education. He is a member of the Executive
Board of New York PHP, and a Zend Certified Engineer.

xvii

About the
Technical Reviewer

■TIMOTHY BORONCZYK is a native resident of Syracuse, NY, and works as the E-Services Coordinator for a local credit union. He has been involved in web design since 1998. He has written
several articles on PHP programming and other design topics. In his spare time, he enjoys
photography, listening to and composing music, spending time with friends, and sleeping with
his feet off the end of the bed. He’s easily distracted by shiny objects.

xix

Acknowledgments
T

his book would not be possible without the effort and encouragement of our entire production
team at Apress. We want to give special thanks to our Lead Editor, Jason Gilmore, and our
Technical Reviewer, Timothy Boronczyk, for their always thoughtful and helpful comments on
the text; to our Project Manager, Beth Christmas, for her patience and prodding as things went
slowly; to our Copy Editor, Ami Knox, for catching all those little details that slipped by; to our
Production Editor, Katie Stence, who helped us move from messy text to beautiful printed pages;
and to all the others, whose names we may not even know but for whose help we are grateful.
We hope to repay a tiny bit of our debt to the Open Source programming community with
this book, without whom few or none of our efforts would have been possible. The developers
who devoted countless hours and skill to implementing Free versions of the cryptographic
algorithms and protocols we use daily are worthy of special praise. At the end of the day, open,
auditable code is the only path to truly secure systems. And of course, we thank the many
developers of PHP itself, for building and sharing this amazing toolset with the world.
We want to single out for particular, heartfelt thanks the members of New York PHP, who
have worked so hard to promote wider, better, and safer use of PHP, and who have helped us to
better understand the many dimensions of the topics we’re writing about here. On the mailing
lists or at the meetings, it is hard to find a better company of coders so willing to give back to the
community. You have shown us that the true spirit of PHP is people helping people. Rock on.
Special thanks to Lillian, who once again has endured with grace long periods of distracted
inattention; and to Rebecca, whose strength and courage are a never-ending source of inspiration.

xxi

Introduction
T

he Internet is a dangerous place for applications. In fact, it is reasonable to say that you
couldn’t create a less secure system if you tried. It is anonymous, uncontrolled, always on,
and instantly accessible from anywhere. This is a world where every bad actor, cracker, script
kiddie, and scam artist is your neighbor, and it is stupendously difficult to deny them access to
your front door.
And those are just the human threats. Any one person can control hundreds or thousands
of distributed systems by means of scripting and techniques designed for clustered computing.
Automated systems that make network requests, sometimes called robots, can be operated
legitimately, as in the case of Google indexers or Akamai media proxies, but they can also be put
to nefarious ends. Distributed Denial of Service attacks are a crude form of this; more sophisticated
robots post advertisements on message boards, index prices across a wide range of e-commerce
sites, or hijack processing cycles and bandwidth from other systems.
Despite the protection we apply in terms of firewalls and spam filters, the Internet remains
a hostile environment. TCP/IP is insecure by design, and intentionally so. Any system between
you and a network server can read and modify the packets you send. In some cases, as with
Network Address Translation, they’re supposed to. In other cases—firewall content filtering
comes to mind—the ability to change the payload of packets lies outside of any specification or
guidelines. And the problem isn’t limited to modification by intermediaries. Packets can be
arbitrarily generated to look as though they come from somewhere else.
In a way, this inherent insecurity is a gift to the talented programmer; it forces you to leave
your assumptions behind, and invent creative methods of mitigating threats and recovering
from the misuse or abuse of your application. The wise programmer will see this as a benefit,
not a hindrance. The lack of an easy fix means that a well-written online application must be
robust, resistant to abuse, and easy to change as new threats are discovered. Secure practices
must be incorporated at every level: on the system, in the code, and throughout the interface.
In PHP, we have an amazing tool for dealing with this incredibly strange situation. Not only
is PHP an extremely flexible and powerful language, but it was written specifically for online
applications. It therefore includes a number of features that are designed to protect you from
common exploits. Unfortunately, the combination of power and ease of use embodied by the
language makes it a prime candidate for misuse, as both people who are new to programming
and seasoned coders used to working in a more structured environment make mistakes or
assumptions that expose their application, or the systems behind it, to attackers.
We present this book partially as a guide to help you understand the wide variety of ways in
which online applications, specifically client and server applications written in (or scripted
with) PHP, are vulnerable to attack and misuse. We therefore sometimes discuss secure practices
in general, without any particular reference to PHP. More important, however, we also focus on
how the PHP programming language can help your efforts at security, and so we aim to provide
PHP developers with an everyday toolset of secure coding practices and security-related
subsystems that can be used to build secure, or at least manageably secure, applications.
xxiii

xxiv

■I N T R O D U C T I O N

Who This Book Is For
You need this book if you are a programmer responsible for creating and maintaining online
applications that involve secure data. And you need this book even if you are a programmer
who is not responsible for creating and maintaining secure online applications, for security
threats are not confined to collecting what should be private information. If you are not a
programmer, but a project manager or even an end user, you may still gain valuable insight
from the concepts and practices we describe here, for they certainly will (at least we hope they
will) give you a new appreciation of the importance of building security into web transactions,
and they might even help you notice threats to the security of your own transactions. While it is
programmers who are responsible for building secure applications, it is end users who are
responsible for using them in a secure way—or deciding not to use them at all in situations
where the risk is too great.
We have tried to address programmers at every level of responsibility, from those who are
also enterprise system administrators (and thus control the servers on which the scripts run) to
individual programmers in one-person shops whose scripts run on shared hosts. Whatever
l