protecting against cracking into filesystem - Page 2

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

Re: protecting against cracking into filesystem

On Jan 12, 6:15 pm, wrote:
Quoted text here. Click to load it

The short of it, follow the Fox Mulder approach when it comes to
handling user input and trust no one

The long of it, there are plenty of ways a PHP script could be
breached but what may happen depends on the script itself and what
it's doing.  Here are a few tips that can be applied in general:

Never trust user input.  Always check that form variables are in the
correct format and are valid for what you'er attempting to do with
them.  One tip to do this quickly for integer values is to simply
apply intval() to them.  Any invalid input will evaluate to 0

Never pass an unsanitized string to a database query.  The vast
majority of cracks in PHP apps occur this way.  A malicious user could
potentially use a script that doesn't check its input before passing
it to a database to do almost anything - Insert malicious data, expose
sensitive information, delete tables, anything.  PDO prepared
statements are one way to limit the possibility of damage, but don't
depend on them as your only line of defence.  Validate your data

Give permission to your script to do what it has to to work and
nothing else.  If your script writes to the filesystem allow it to
write only to locations you condone by chmodding directories.
Directories with a chmod value of 0777 are wide open.  Create database
users for your application to use that have access only to what they

Keep as much of your application out of web-facing locations as
possible.  Of course the scripts that generate web page output must be
visible from teh web but there's no reason includes have to be.

don't use filesystem commands (rmdir, unlink, fopen etc) in your
scripts unless you absolutely have to.  Unvalidated input passed to
commands that access or modify the filesystem can have dire
consequences. You risk exposing sensitive files like /etc/passwd or
damage to the filesystem that will prevent the machine from

Under no circumstances should you use eval (), exec () or any
and Exec are probably the most dangerous commands in the PHP command
set. I've managed in years of coding to never use either, if you think
you do need them then think very carefully about your design as it
might be a code smell that there's something fundamentally wrong with
what you're trying to do.

Re: protecting against cracking into filesystem

The responses to my original message have been mostly out of standard
textbook advice (I have 5 of them).  Thanks for trying, but it still
leaves my original question unanswered.  Here is the situation:

I have a set of scripts that include several forms in which users
submit information that eventually winds up on a website.  One of
those forms includes a WYSIWYG     textarea editor, tinyMCE.  However,
there are plenty of input (single line) elements that present similar,
if smaller, opportunities to inject malicious code.  Add to that the
problem of tampered GET and POST data and you have the usual CMS-like
environment in which so many bad guys get their jollies.

I know all the rules about filtering input and escaping output, but I
want to focus especially on blocking attacks that could wind up giving
an intruder control of my site's command line or otherwise executing
malicious code in my filesystem's environment.  Is it possible to
actually penetrate PHP code and wind up with a blinking cursor on a
command line, logged in as the user/owner of the site?  If so, do you
do that through SQL injection?, command injection via a system
command?, XSS? ...

The WYSIWYG editor presents a special problem, because filtering data
from it is so complicated, but if it does not actually give access to
the command line, I think I can figure out a way to live with
unfiltered input by other means.  I just can't live with giving
someone the opportunity to rummage around in my filesystem.

Any comments?

Site Timeline