Exercises, examples and other material relating to training module H117. This topic is presented on public courses
If you put a PHP application on a public server, you probably intend it to be used by the public. Anyone with web access can come along to your page and run your scripts, but you're not going to be there to police them all the time. This module looks at the aspects of PHP security you should be aware of to prevent malicious actions, and also suggests that you consider security against simple user error too.
Articles and tips on this subject | updated |
4642 | A small teaching program - demonstration of principles only Putting a program on a public facing web server is like putting a car on the driveway outside your home, then going away on holiday. You had better make sure the car is locked, and that if it's an open-decked truck there's nothing left on the deck. Or you had better make sure that the driveway is secured. ... | 2016-02-08 |
3813 | Injection Attacks - PHP, SQL, HTML, Javascript - and how to neutralise them A delegate for tomorrow's PHP Techniques Course arrived early, and I've spent this afternoon taking a look at the fundamentals of what an "injection attack" is, and how to render attempts to attack your server using such methods harmless.
When you have a web application running, you'll be providing ... | 2012-08-11 |
3747 | An easy way to comply with the new cookie law if your site is well designed If your website is well structured, it shouldn't be a big problem update it to become compliant with the new cookie law - see [here].
I've completed the changes on three sites so far today - Well House Consultants, Well House Manor and Melksham Chamber of Commerce, and I have done considerable work ... | 2012-06-02 |
3698 | How to stop forms on other sites submitting to your scripts From time to time, many of us web site authors and maintainers put a form on our site which submits data to another site. It might be something as simple as a Google seach box or a webmail login page.
If you're developing a page / form which you do not want to be filled in remotely in this way, you ... | 2012-04-21 |
3210 | Catchable fatal error in PHP ... How to catch, and alternative solutions such as JSON When you ask your program to "print out an object", you're really looking to convert a data structure into a stream of characters, and it's not really obvious what you're looking to do.
If you try to print out an object in PHP:
print ($result . "\n");
where the $result variable contains ... | 2011-03-22 |
2939 | Protecting your images from use out of context If you want to prevent your images from being "hotlinked" from someone else's site ... why not feed them out via a PHP script that checks the referrer? ... If you've arrived at this article via "www.wellho.net", you should see a clean image - and the image is at the url "http://www.wellho.net/demo/doggypic.php". ... | 2010-08-30 |
2688 | Security considerations in programming - what do we teach? Many moons ago, I wrote and presented a security course - and ever since that time I have been acutely aware of the need to consider security in every aspect of system design, program writing and maintenance. And these days - with many of our programs "exposed" to people to run from remote places via ... | 2010-03-25 |
2628 | An example of an injection attack using Javascript Delegates sometimes ask me what an "injection attack" is, and for examples. I came across a really good example this morning on (oops!) one of our own pages - it's now fixed, but I'm documenting here and showing you what was happening so that you can learn from it.
Visiting one of the most popular pages ... | 2010-02-11 |
2025 | Injection Attack if register_globals in on - PHP You may have heard me talk about "injection attacks" and that having register_globals set to on in PHP makes you liable to be caught by them. Well - that's a little bit dramatic as you can write perfectly safe PHP scripts with the setting on if you're careful. Here's an example of a script which is ... | 2009-02-04 |
1779 | Injection Attacks - avoiding them in your PHP "Please help me debug this virus." I'm paraphrasing something that was posted, a long while ago now, on a board I look after ... and I deleted the code pretty darned fast, as I didn't (and still don't) want to form a source of information for the less scrupulous.
I was looking at a few issues on one ... | 2008-09-04 |
1747 | Who is watching you? How would you feel if someone sat opposite you in a train, stared hard at your throughout your journey, watched what you were doing all the time yet without engaging you at all? I suspect you would find that it made your spine tingle - it certainly would with me, and it would make me wonder what that ... | 2008-08-10 |
1694 | Defensive coding techniques in PHP? I used to write CAD system software (many moons ago), and when doing so I used what I call "defensive coding techniques". Which meant that I never trusted user input, that a file would be available, that I could write correctly to a device - I tested, tested and tested again. In our environment, it ... | 2008-07-02 |
1679 | PHP - Sanitised application principles for security and useability When you write a simple web based application, such as a tax calculator, it's always a good ides to echo back the values that your user filled in to the initial form as a part of the response page. That way, anyone who prints out the resulting screen will know just WHAT the question was that the page ... | 2008-06-23 |
426 | Robust checking of data entered by users 10 steps to testing the bullet proofing user inputs or how to avoid being caught by nasties when your script goes live!
1. Test it works with intended entries. It's not going to be much good if it falls over when someone entered a valid piece of data!
2. Test it works (fails correctly) with erroneous ... | 2008-05-17 |
345 | Spotting a denial of service attack Our web site traffic rose from 37000 hits last Wednesday to 64000 hits on Thursday. Good sales and marketing activity on our part? No - it's a potential problem; all the extra traffic came from a single location and my immediate concerns included:
* Possible denial of service, where all the bandwidth ... | 2008-05-04 |
1542 | Are nasty programs looking for security holes on your server? Looking through my log file reports for the last week, I have found the following in my "failed requests" log.
546: /errors.php
52: /errors.php?error=http://www.beautiful-america.com/admin/id.txt?
42: /errors.php?error=http://www.ticarbon.de/phpBB2/files/i?
32: /errors.php?error=http://test.iearn.uz/test.iearn.uz/assist.txt???
27: /errors.php?error=http://www.dg-mitteldeutschland.de/sys_crank/i?
26: /errors.php?error=http://hornydate.co.uk/sparky.txt??
25: /errors.php?error=http://www.sternkinder2007.de/video/lol?
So ... | 2008-02-18 |
1482 | A story about benchmarking PHP I've noticed recently that the response speed of this website hasn't been as brisk as I would have liked, and thought that the cause was a steady growth in the amount of code we run behind the scenes on each page - elements I particularly felt were culprits were identifying visitors to a country by their ... | 2007-12-24 |
1396 | Using PHP to upload images / Store on MySQL database - security questions Yesterday, the page on our website that shows you how to upload an image from a browser in a PHP script, store the image in a database, and later on retreive and redisplay the image, was visited 250 times. Not bad for such a specific subjec t on what I'll admit is something of an obscure web site.
One ... | 2007-10-19 |
1387 | Error logging to file not browser in PHP When you first install PHP on your web server, any errors and warnings in you code are flagged up in the browser window. And that's ideal for development purposes - any problems are quickly indicated to you, with pointers to where the issue lies.
But when you go live, there's a different story, Of ... | 2007-10-16 |
1323 | Easy handling of errors in PHP How often have you written a piece of code that's a "spike solution" - it works well on good data - and then spent just as long as you took to do most of the work in fixing errors? I know I have!
These days, I plan my error strategy from minute 0 of hour 0 of day 0. "How to handle errors" is a critical ... | 2007-08-27 |
1086 | Injection attacks - safeguard your PHP scripts An injection attack is where information supplied within a table entry box or upload file is used for malicious purposes - for example, if a user enters his name as fred'; drop database test; etc ... and finds that the script he has contacted inserts the text entered into a database query. Possible ... | 2007-02-20 |
1052 | Learning to write secure, maintainable PHP We're running a PHP course this week, and as ever I went around the room on the first day checking with the delegates what their "hot points" were, noting them on a board to the side to ensure that all the points ARE covered.
Security and maintainabily came up. And came up strong. Duly noted on the ... | 2007-01-30 |
947 | What is an SQL injection attack? An SQL injection attack is where a user of your form enters a piece of SQL code into it, and wraps it in special characters in such a way that the data entered doesn't get used for the purpose you had intended - it gets used to corrupt or destroy your database.
For example, if your form returns to $_REQUEST[message] ... | 2006-11-27 |
920 | A lion in a cage - PHP A lion in a cage shouldn't be a danger - but release the lion from the cage and you could be at risk.
An include file that's pulled in by a PHP script shouldn't be a danger if it's used only from within that PHP script, but if it has its own URL the it could be released like the lion, and it could be ... | 2006-11-12 |
Some modules are
available for download as a sample of our material or under an
Open Training Notes License for free download from
[here].
From first principles.
Testing.
PHP installed as CGI binary.
Possible attacks.
Installed as an Apache module.
Filesystem Security.
Error Reporting.
Using register globals.
Hiding PHP.
Keeping Current.
If you are looking for a complete course and not just a information on a single subject, visit our
Listing and schedule page.
Well House Consultants specialise in training courses in
Ruby,
Lua,
Python,
Perl,
PHP, and
MySQL. We run
Private Courses throughout the UK (and beyond for longer courses), and
Public Courses at our training centre in Melksham, Wiltshire, England.
It's surprisingly cost effective to come on our public courses -
even if
you live in a different
country or continent to us.
We have a technical library of over 700 books on the subjects on which we teach.
These books are available for reference at our training centre.