Home  >  Help


Campus Highlights
Banner image
Web Publishing Help

Using PHP Scripts on the URI Web Server

 

PHP is available on the URI server to requested departments, faculty and staff. Click here to learn some basics of PHP. However, when using PHP scripts, attention must be paid to their security. This document describes some simple steps which can be taken to make the use of PHP scripts or web applications more secure.

Stay Current with Third-Party PHP Scripts

When using third-party PHP scripts developed by others, such as open source scripts made freely available for download from sites such as SourceForge and other similar sites, users are advised to keep up to date with the development of the PHP application and stay current on the releases. If a vulnerability is announced and patch is released, users must update the scripts immediately. If it is detected that you are using a very old version of a web application which contains security vulnerabilities, your website may be taken offline. The security of the server shall not be allowed to be compromised for any reason.

Work with Custom PHP Scripts

When developing your own PHP scripts, be aware of security issues. Also view the OWASP Top 10 Security Vulnerabilities. Listed below are some things you can do which will make your web application more secure. For more information, visit the links above.

  1. Always validate user input before using it to do anything in your script. Even form variables such as select boxes need to be validated to ensure that the value chosen is in the original list of values.
  2. Always escape characters such as single or double quotes, backslashes (\), percent symbols, and other characters which could result in an unexpected use of your script.
  3. Take extra precaution when executing commands with user input in them. It is possible for an attacker to inject a malicious command in this way.
  4. When dealing with secure information (such as passwords), be sure to use a good password that will be hard (or better yet, impossible) to guess. Generic passwords such as 'admin', should never be used. The same goes for dictionary words. Secure passwords will be at least 8 characters long, contain at least one (1) numeric digit in them, and do not contain dictionary words. Never store passwords in plain text, always encrypt then with an irreversible encryption algorithm such as MD5.
  5. Stay away from using default filenames, such as putting administrative functionality in the admin/ folder. Generic names such as this are easy targets for hackers to attempt to access.
  6. When instantiating PHP on a page, always use the full <?php and ?> tags. Using shortcut tags such as <? to instantiate php could result in your script being displayed as plain text if the server configuration is changed.
Register Globals Setting

The URI web server has the register globals setting turned off. This means that the source of the values for variables needs to be explicitly defined. When this setting is on, it is possible to use variables without knowing for sure where they come from and it can only be assumed that they are coming from the expected place. This setting specifically affects variables that come from global scope such as GET, POST and COOKIE variables (among others). For example: previously, if you had a login form on your page and the textbox name was username, the PHP variable you used to reference what was submitted could have been $username. The value in $username could have come from a GET or POST request. Now, however, you need to use something like $HTTP_POST_VARS['username'] or $_POST['username']. This is better, because now you know for sure the variable is coming from a POST request. It is slightly more secure and harder for hackers to forge variables.

To upgrade your script to work with the new setting, the proper, secure way is to go through your code and initialize (at the beginning, or before the first use) the necessary variables to the appropriate array (and index, i.e. $username = $_POST['username'];). Alternately, for an immediate (temporary) solution, you could add the following code to the PHP files you are having problems with: import_request_variables("GPC"); This code will take the GET, POST and COOKIE arrays and declare variables for every index in these arrays. So, $_POST['username'] would become $username in your PHP file, and your script would behave as it did before register globals was turned off.

Work with Database Applications on the Web

Many web applications interface with databases for much of the content and functionality. Security issues arise when using web applications with databases. Be very careful of SQL injection. SQL injection occurs in a web application when an attacker is able to modify an SQL query (usually through a form variable or URL) and add another SQL query to it which will then be executed instead of, or after the original. Through this, your database can be modified, table rows can be deleted and the security of your web application can be compromised. Never trust user input; always validate all variables used in SQL queries. There is an excellent white paper on how to protect from SQL injection (PDF) in your web application.

For Further Assistance

There is also a wealth of information on PHP and database program such as MySQL on the Web and in books. Below is a selective list of free Web-based tutorials that we identified to get you started on this subject. Please also refer to the PHP Website or use a search engine like Google for more information.

The Office of Information Services also offers group training in the form of short courses on various Web-related topics. Please check the Office of Information Services short courses listing for availability information.