This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Backend Security Project PHP Security Programming"

From OWASP
Jump to: navigation, search
Line 1: Line 1:
 
= Overview =
 
= Overview =
  
= Description =
 
  
== PHP preventing SQL Injection ==
+
== Example 1 ==
  
'' Examples ''
+
Here follows a tipical Login Forms to authenticate user. Such a credentials are stored on a backend Database Server whose connection parameters are stored in a ''.inc'' file.
To better understand how to secure code a PHP application some examples of
 
vulnerable code is provided in this paragraph.
 
  
''' Login Form '''
 
On this example we're going to see a tipical Login Form. On our example WEB SITE user need to supply a username/password pair in order to be authenticated.
 
                                                       
 
                                                                                                                                                   
 
Here follows the authentcation form:                               
 
  
 +
'''auth.php'''<nowiki>
  
 
Such a login page well call ''login.php'' with supplied user credentials.
 
 
  <nowiki>
 
 
<?php
 
<?php
 
include('./db.inc');
 
include('./db.inc');
Line 45: Line 34:
 
if ($sUserName = sAuthenticateUser($_POST["username"],  
 
if ($sUserName = sAuthenticateUser($_POST["username"],  
 
  $_POST["password"])) {
 
  $_POST["password"])) {
   echo "Wellcome ".$sUserName;
+
   /* successfull authentication code goes here */
 +
  ...
 +
  ...
 
  } else {
 
  } else {
   die('Unauthorized Access');
+
   /* unsuccessfull authentication code goes here */
 +
  ...
 +
  ...
 
  }
 
  }
  
Line 53: Line 46:
 
</nowiki>
 
</nowiki>
  
'''db.inc:'''
+
 
  <nowiki>
+
'''db.inc'''<nowiki>
  
 
<?php
 
<?php
Line 76: Line 69:
 
?></nowiki>
 
?></nowiki>
  
== Online Catalog ==
 
 
Let take another example: an Online Book Store:
 
  
[[Image:Owasp_bsp_php_3.jpg]]
+
== Example 2 ==
  
 +
The following sample code cames from a online book catalog.
  
 +
'''getbook.php''' <nowiki>
  
  
'''catalog.php:'''
 
 
  <nowiki>
 
 
function aGetBookEntry($id) {
 
function aGetBookEntry($id) {
 
   $aBookEntry = NULL;
 
   $aBookEntry = NULL;
Line 100: Line 89:
 
     }
 
     }
 
   }
 
   }
 
 
   return $aBookEntry;
 
   return $aBookEntry;
 
 
}
 
}
  
 
+
....
 
$id = $_GET['id'];
 
$id = $_GET['id'];
 
$aBookEntry = aGetBookEntry($id);
 
$aBookEntry = aGetBookEntry($id);
  
showBook($aBookEntry);
+
/* Display retrieved book information */
 +
...
 +
...
 +
 
 
</nowiki>
 
</nowiki>
  
Basicaly it retrieves ''id'' parameter on GET query string and perform the following SQL query:
 
* ''SELECT * FROM book WHERE id = $_GET['id']''
 
  
As in ''Login Form'' no input validation is performed and SQL Query can be manipulated to returns
+
= Description =
arbitrary data and DBMS stored relations/records/functions as well.
+
 
 +
== PHP preventing SQL Injection ==
 +
 
 +
=== Escaping Quotes ===
 +
 
 +
=== Prepared Statements ===
 +
 
 +
=== Data Validation ===
 +
 
 +
=== Detecting Intrusions from WEBAPP ===
  
 
== PHP preventing LDAP Injection ==
 
== PHP preventing LDAP Injection ==
 +
 +
=== Data Validation ===
 +
 +
== Defeating Automated Tools ==
  
 
= References =
 
= References =

Revision as of 22:21, 28 May 2008

Overview

Example 1

Here follows a tipical Login Forms to authenticate user. Such a credentials are stored on a backend Database Server whose connection parameters are stored in a .inc file. 


auth.php

<?php
include('./db.inc');

function sAuthenticateUser($username, $password){
  $authenticatedUserName="";
  if ($link = iMysqlConnect()) {

    $query  = "SELECT username FROM users";
    $query .=                " WHERE username = '".$username."'";
    $query .=                " AND   password = md5('".$password."')";
    $result = mysql_query($query);

    if ($result) {
      if ($row = mysql_fetch_row($result)) {
	$authenticatedUserName =  $row[0];
      }
    }
  }

  return $authenticatedUserName;

}

if ($sUserName = sAuthenticateUser($_POST["username"], 
				   $_POST["password"])) {
  /* successfull authentication code goes here */
   ...
   ...
 } else {
  /* unsuccessfull authentication code goes here */
   ...
   ...
 }

?>




db.inc

<?php

define('DB_HOST',     "localhost");
define('DB_USERNAME', "user");
define('DB_PASSWORD', "password");
define('DB_DATABASE', "owasp");


function iMysqlConnect(){
  $link = mysql_connect(DB_HOST,
  	  DB_USERNAME,
			DB_PASSWORD);

  if ($link && mysql_select_db(DB_DATABASE))
    return $link;
  return FALSE;
}

?>


Example 2

The following sample code cames from a online book catalog. 

getbook.php 


function aGetBookEntry($id) {
  $aBookEntry = NULL;
  $link = iMysqlConnect();

  $query = "SELECT * FROM books WHERE id = $id";
  $result = mysql_query($query);

  if ($result) {
    if ($row = mysql_fetch_array($result)) {
      $aBookEntry = $row;
    }
  }
  return $aBookEntry;
}

....
$id = $_GET['id'];
$aBookEntry = aGetBookEntry($id);

/* Display retrieved book information */
...
...


Description

PHP preventing SQL Injection

Escaping Quotes

Prepared Statements

Data Validation

Detecting Intrusions from WEBAPP

PHP preventing LDAP Injection

Data Validation

Defeating Automated Tools

References

Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Backend_Security_Project_PHP_Security_Programming&oldid=29955"