Home Accessibility Courses Twitter The Mouth Facebook Resources Site Map About Us Contact
 
Python, Lua and Tcl - public course schedule [here]
Private courses on your site - see [here]
Please ask about maintenance training for Perl, PHP, Java, C, C++, Ruby, MySQL and Linux / Tomcat systems

Phone System reconfiguration 11.1.2018 and 12.1.2018 - we are on email but incoming phone not available all the time
 

Well House Consultants
You are on the site of Well House Consultants who provide Open Source Training Courses and business hotel accommodation. You are welcome to browse and use our resources subject to our copyright statement and to add in links from your pages to ours.
Other subject areas - resources
Java Resources
Well House Manor Resources
Perl Resources
Python Resources
PHP Resources
Object Orientation and General topics
MySQL Resources
Linux / LAMP / Tomcat Resources
Well House Consultants Resources
Extras Resources
C and C++ Resources
Ruby Resources
Tcl/Tk Resources
Web and Intranet Resources
PHP module H117
Security in PHP
Exercises, examples and other material relating to training module H117. This topic is presented on public courses Learning to program in PHP, PHP Programming, PHP Programming, Learning to program in PHP

If you put a PHP application on a public server, you probably intend it to be used by the public. Anyone with web access can come along to your page and run your scripts, but you're not going to be there to police them all the time. This module looks at the aspects of PHP security you should be aware of to prevent malicious actions, and also suggests that you consider security against simple user error too.

Related technical and longer articles
Spotting and stopping denial of service attacks

Articles and tips on this subjectupdated
4642A small teaching program - demonstration of principles only
Putting a program on a public facing web server is like putting a car on the driveway outside your home, then going away on holiday. You had better make sure the car is locked, and that if it's an open-decked truck there's nothing left on the deck. Or you had better make sure that the driveway is secured. ...
2016-02-08
 
3813Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them
A delegate for tomorrow's PHP Techniques Course arrived early, and I've spent this afternoon taking a look at the fundamentals of what an "injection attack" is, and how to render attempts to attack your server using such methods harmless. When you have a web application running, you'll be providing ...
2012-08-11
 
3747An easy way to comply with the new cookie law if your site is well designed
If your website is well structured, it shouldn't be a big problem update it to become compliant with the new cookie law - see [here]. I've completed the changes on three sites so far today - Well House Consultants, Well House Manor and Melksham Chamber of Commerce, and I have done considerable work ...
2012-06-02
 
3698How to stop forms on other sites submitting to your scripts
From time to time, many of us web site authors and maintainers put a form on our site which submits data to another site. It might be something as simple as a Google seach box or a webmail login page. If you're developing a page / form which you do not want to be filled in remotely in this way, you ...
2012-04-21
 
3210Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON
When you ask your program to "print out an object", you're really looking to convert a data structure into a stream of characters, and it's not really obvious what you're looking to do. If you try to print out an object in PHP:   print ($result . "\n"); where the $result variable contains ...
2011-03-22
 
2939Protecting your images from use out of context
If you want to prevent your images from being "hotlinked" from someone else's site ... why not feed them out via a PHP script that checks the referrer? ... If you've arrived at this article via "www.wellho.net", you should see a clean image - and the image is at the url "http://www.wellho.net/demo/doggypic.php". ...
2010-08-30
 
2688Security considerations in programming - what do we teach?
Many moons ago, I wrote and presented a security course - and ever since that time I have been acutely aware of the need to consider security in every aspect of system design, program writing and maintenance. And these days - with many of our programs "exposed" to people to run from remote places via ...
2010-03-25
 
2628An example of an injection attack using Javascript
Delegates sometimes ask me what an "injection attack" is, and for examples. I came across a really good example this morning on (oops!) one of our own pages - it's now fixed, but I'm documenting here and showing you what was happening so that you can learn from it. Visiting one of the most popular pages ...
2010-02-11
 
2025Injection Attack if register_globals in on - PHP
You may have heard me talk about "injection attacks" and that having register_globals set to on in PHP makes you liable to be caught by them. Well - that's a little bit dramatic as you can write perfectly safe PHP scripts with the setting on if you're careful. Here's an example of a script which is ...
2009-02-04
 
1779Injection Attacks - avoiding them in your PHP
"Please help me debug this virus." I'm paraphrasing something that was posted, a long while ago now, on a board I look after ... and I deleted the code pretty darned fast, as I didn't (and still don't) want to form a source of information for the less scrupulous. I was looking at a few issues on one ...
2008-09-04
 
1747Who is watching you?
How would you feel if someone sat opposite you in a train, stared hard at your throughout your journey, watched what you were doing all the time yet without engaging you at all? I suspect you would find that it made your spine tingle - it certainly would with me, and it would make me wonder what that ...
2008-08-10
 
1694Defensive coding techniques in PHP?
I used to write CAD system software (many moons ago), and when doing so I used what I call "defensive coding techniques". Which meant that I never trusted user input, that a file would be available, that I could write correctly to a device - I tested, tested and tested again. In our environment, it ...
2008-07-02
 
1679PHP - Sanitised application principles for security and useability
When you write a simple web based application, such as a tax calculator, it's always a good ides to echo back the values that your user filled in to the initial form as a part of the response page. That way, anyone who prints out the resulting screen will know just WHAT the question was that the page ...
2008-06-23
 
426Robust checking of data entered by users
10 steps to testing the bullet proofing user inputs or how to avoid being caught by nasties when your script goes live! 1. Test it works with intended entries. It's not going to be much good if it falls over when someone entered a valid piece of data! 2. Test it works (fails correctly) with erroneous ...
2008-05-17
 
345Spotting a denial of service attack
Our web site traffic rose from 37000 hits last Wednesday to 64000 hits on Thursday. Good sales and marketing activity on our part? No - it's a potential problem; all the extra traffic came from a single location and my immediate concerns included: * Possible denial of service, where all the bandwidth ...
2008-05-04
 
1542Are nasty programs looking for security holes on your server?
Looking through my log file reports for the last week, I have found the following in my "failed requests" log.  546: /errors.php   52:   /errors.php?error=http://www.beautiful-america.com/admin/id.txt?   42:   /errors.php?error=http://www.ticarbon.de/phpBB2/files/i?   32:   /errors.php?error=http://test.iearn.uz/test.iearn.uz/assist.txt???   27:   /errors.php?error=http://www.dg-mitteldeutschland.de/sys_crank/i?   26:   /errors.php?error=http://hornydate.co.uk/sparky.txt??   25:   /errors.php?error=http://www.sternkinder2007.de/video/lol? So ...
2008-02-18
 
1482A story about benchmarking PHP
I've noticed recently that the response speed of this website hasn't been as brisk as I would have liked, and thought that the cause was a steady growth in the amount of code we run behind the scenes on each page - elements I particularly felt were culprits were identifying visitors to a country by their ...
2007-12-24
 
1396Using PHP to upload images / Store on MySQL database - security questions
Yesterday, the page on our website that shows you how to upload an image from a browser in a PHP script, store the image in a database, and later on retreive and redisplay the image, was visited 250 times. Not bad for such a specific subjec t on what I'll admit is something of an obscure web site. One ...
2007-10-19
 
1387Error logging to file not browser in PHP
When you first install PHP on your web server, any errors and warnings in you code are flagged up in the browser window. And that's ideal for development purposes - any problems are quickly indicated to you, with pointers to where the issue lies. But when you go live, there's a different story, Of ...
2007-10-16
 
1323Easy handling of errors in PHP
How often have you written a piece of code that's a "spike solution" - it works well on good data - and then spent just as long as you took to do most of the work in fixing errors? I know I have! These days, I plan my error strategy from minute 0 of hour 0 of day 0. "How to handle errors" is a critical ...
2007-08-27
 
1086Injection attacks - safeguard your PHP scripts
An injection attack is where information supplied within a table entry box or upload file is used for malicious purposes - for example, if a user enters his name as fred'; drop database test; etc ... and finds that the script he has contacted inserts the text entered into a database query. Possible ...
2007-02-20
 
1052Learning to write secure, maintainable PHP
We're running a PHP course this week, and as ever I went around the room on the first day checking with the delegates what their "hot points" were, noting them on a board to the side to ensure that all the points ARE covered. Security and maintainabily came up. And came up strong. Duly noted on the ...
2007-01-30
 
947What is an SQL injection attack?
An SQL injection attack is where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entered doesn't get used for the purpose you had intended - it gets used to corrupt or destroy your database. For example, if your form returns to $_REQUEST[message] ...
2006-11-27
 
920A lion in a cage - PHP
A lion in a cage shouldn't be a danger - but release the lion from the cage and you could be at risk. An include file that's pulled in by a PHP script shouldn't be a danger if it's used only from within that PHP script, but if it has its own URL the it could be released like the lion, and it could be ...
2006-11-12
 
Examples from our training material
inject.php   Injection attacks and preventing them
Background information
Some modules are available for download as a sample of our material or under an Open Training Notes License for free download from [here].
Topics covered in this module
From first principles.
Testing.
PHP installed as CGI binary.
Possible attacks.
Installed as an Apache module.
Filesystem Security.
Error Reporting.
Using register globals.
Hiding PHP.
Keeping Current.
Complete learning
If you are looking for a complete course and not just a information on a single subject, visit our Listing and schedule page.

Well House Consultants specialise in training courses in Ruby, Lua, Python, Perl, PHP, and MySQL. We run Private Courses throughout the UK (and beyond for longer courses), and Public Courses at our training centre in Melksham, Wiltshire, England. It's surprisingly cost effective to come on our public courses - even if you live in a different country or continent to us.

We have a technical library of over 700 books on the subjects on which we teach. These books are available for reference at our training centre.


You can Add a comment or ranking to this page

© WELL HOUSE CONSULTANTS LTD., 2018: Well House Manor • 48 Spa Road • Melksham, Wiltshire • United Kingdom • SN12 7NY
PH: 01144 1225 708225 • FAX: 01144 1225 793803 • EMAIL: info@wellho.net • WEB: http://www.wellho.net • SKYPE: wellho

PAGE: http://www.wellho.net/resources/H117.html • PAGE BUILT: Mon Feb 8 18:55:24 2016 • BUILD SYSTEM: WomanWithCat