Secure PHP Development- P13

Secure PHP Development- P13: Welcome to Secure PHP Development: Building 50 Practical Applications. PHPhas come a long way since its first incarnation as a Perl script. Now PHP is a powerfulWeb scripting language with object-oriented programming support. Slowlybut steadily it has entered the non-Web scripting arena often reserved for Perl andother shell scripting languages. Arguably, PHP is one of the most popular Web platforms.
Nội dung trích xuất từ tài liệu:
Secure PHP Development- P13 Chapter 2: Understanding and Avoiding Security Risks 31 // some code to verify coupon code echo “Check if user given coupon is valid or not.”; return ($code % 1000 == 0) ? TRUE : FALSE; } function isCustomer() { // a function to determine if current user // user is a customer or not. // not implemented. echo “Check if user is a customer or not.”; return FALSE; }?> When this script is run ashttp://server/bad_autovars.php?couponCode=2000 it checks to see if the coupon code is valid. The is_coupon() function takes theuser given coupon code and checks if the given code is completely divisible by1000 or not. Code that are divisible by 1000 are considered valid and the functionreturns TRUE else it returns FALSE. If the coupon code is valid, it checks whetherthe current user is a customer. If the current user is a customer, it shows a messageindicating that the customer is a winner. If the current user is not a customer, itshows the following:Check if user given coupon is valid or not.Check if user is a customer or not.Sorry you did not win! Because we didn’t implement the isCustomer() function, we return FALSE at alltimes, so there’s no way we should ever show a message stating that the currentuser is a winner. But alas! Look at the following request:http://server/bad_autovars.php?couponCode=1001&is_customer=1 Even with an invalid coupon, the user is able to see the following message:Check if user given coupon is valid or not.You are a lucky customer.You won big today!32 Part I: Designing PHP Applications Do you know why the user is able to see the preceding message? Because this user has supplied is_customer=1, which became an automatic variable and forced the winner message to appear. This type of trick can be done only with strong knowledge of the application being used. For example, if this was a free script widely used by many sites, a malicious hacker could force it to get what he wants. This example demonstrates that automatic variables can be tricked into doing things that are not intended by the programmers, so we need to have a better way of getting user data. Thankfully, PHP 4.2 or above by default do not create auto- matic variables. Creating automatic variables is turned off in the php.ini configu- ration file using the following configuration parameter: register_globals = Off When register_globals is off by default, PHP does not create automatic variables. So how can you get data from the user? Very easily using $_GET, $_POST, $_REQUEST, $_SERVER, $_SESSION, $_ENV, and $_COOKIE. Table 2-1 shows which of these variables correspond to what input of a request. TABLE 2-1 PHP GLOBAL-REQUEST-RELATED AUTOMATIC VARIABLES Variable Description $_GET Used for storing data passed via HTTP GET method. For example, http://server/any.php?a=1&b=2 will result in $_GET[‘a’] = 1; $_GET[‘b’] = 2; $_POST Used for storing data passed via HTTP POST method. For example: When this form is submitted, the any.php will have $_POST[‘email’] = user_supplied_email $_POST[‘step’] = 2 $_REQUEST Works for both GET and POST. This variable is the best choice because it will work with your application whether data is submitted via the GET method or the POST method. $_SESSION Stores session data. $_COOKIE Stores cookie data. Chapter 2: Understanding and Avoiding Security Risks 33Variable Description$_ENV Stores environment information.$_FILES Stores uploaded file information.$GLOBALS All global variables that are stored in this associative array. Now let’s implement bad_autovars.php without the automatic field variables asshown in Listing 2-4.Listing 2-4: autovars_free.php34 Part I: Designing PHP Applications Listing 2-4 (Continued) } function isCustomer() { // a function to determine if current user // user is a customer or not. // not implemented. echo “Check if user is customer ”; return FALSE; } ?> Cha ...