|
Posted by Erwin Moller on 10/25/07 09:35
Daniel wrote:
> is there a way to detect if a user tries to access a php file?
>
> For instance, db.config.php is called in many php pages but should
> never actually be open directly. Is there a way to know if someone
> tried to open it directly?
>
> Also, i want to learn more about securing php/MySQL pages any good
> resources I should start with?
Hi,
security and PHP, some concepts that may help searching/googling:
- filepermissions of the files in use on your webapplication.
(extra important on most 'shared hostings' environments.
- php.ini (and phpinfo() function)
Try to get a good general idea of the settings in here.
Be sure to have register_globals OFF.
- Database: Make a new user for each database you create.
You might consider to create a read-only user, so IF your application
has some gaping hole, the cracker cannot modify your data.
You can maybe create a full-access user for the admin part of the
application.
Most databases let you create a fine structure for users, even to the
tablelevel.
- Receiving Formdata (SQL Injection, headerinjection for email)
SQL injection:
Scrubbing formdata is very important, since it is often the easiest way
to comprimise a system.
Simply expect the data posted by clients to be harmfull, and take all
precautions needed.
eg: If you receive text, be sure you escape (or filter out) all naughty
characters before using the data in a database query.
If you expect an interger, make sure it IS an interger, eg:
$myPostedInt = (int)$_POST["myPostedInt"];
headerinjection:
When you use stuff like 'tell-a-friend' or other emailfunctionality,
make it 100% sure all formfields contain the data you expect. It is easy
to add more headers to the email, so bad guys can use your
emailfunctionality as a spamgateway.
- .htaccess
If you use apache and have AllowOverride for this host (which can be
very handy), be sure you understand the implications. If more people
have access to the system, eg to upload images, they can also place a
possibly harmfull .htaccess file in some directory and a php file,
allowing them to override your php.ini settings.
- Session hijacking
Understand how sessions work. If some bad guy gets a hold of a
PHPSESSID, (s)he can use the session of another person (eg adminrights).
Just a few pointers. I hope this covers most popular exploits.
Good luck.
Regards,
Erwin Moller
>
> Thank you,
>
> Daniel
>
[Back to original message]
|