This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Backend Security Project PHP Security Programming"

From OWASP
Jump to: navigation, search
(Description)
(Examples)
Line 5: Line 5:
 
== PHP preventing SQL Injection ==
 
== PHP preventing SQL Injection ==
  
= Examples =
+
'' Examples ''
 
To better understand how to secure code a PHP application some examples of
 
To better understand how to secure code a PHP application some examples of
 
vulnerable code is provided in this paragraph.   
 
vulnerable code is provided in this paragraph.   
Line 117: Line 117:
 
As in ''Login Form'' no input validation is performed and SQL Query can be manipulated to returns
 
As in ''Login Form'' no input validation is performed and SQL Query can be manipulated to returns
 
arbitrary data and DBMS stored relations/records/functions as well.
 
arbitrary data and DBMS stored relations/records/functions as well.
 +
 +
== PHP preventing LDAP Injection ==
  
 
= References =
 
= References =

Revision as of 21:12, 28 May 2008

Overview

Description

PHP preventing SQL Injection

Examples To better understand how to secure code a PHP application some examples of vulnerable code is provided in this paragraph.

Login Form

On this example we're going to see a tipical Login Form. On our example WEB SITE user need to supply a username/password pair in order to be authenticated.


Here follows the authentcation form:

Owasp bsp php 1.jpg

Such a login page well call login.php with supplied user credentials.

 
<?php
include('./db.inc');

function sAuthenticateUser($username, $password){
  $authenticatedUserName="";
  if ($link = iMysqlConnect()) {

    $query  = "SELECT username FROM users";
    $query .=                " WHERE username = '".$username."'";
    $query .=                " AND   password = md5('".$password."')";
    $result = mysql_query($query);

    if ($result) {
      if ($row = mysql_fetch_row($result)) {
	$authenticatedUserName =  $row[0];
      }
    }
  }

  return $authenticatedUserName;

}

if ($sUserName = sAuthenticateUser($_POST["username"], 
				   $_POST["password"])) {
  echo "Wellcome ".$sUserName;
 } else {
  die('Unauthorized Access');
 }

?>

db.inc:

 

<?php

define('DB_HOST',     "localhost");
define('DB_USERNAME', "user");
define('DB_PASSWORD', "password");
define('DB_DATABASE', "owasp");


function iMysqlConnect(){
  $link = mysql_connect(DB_HOST,
  	  DB_USERNAME,
			DB_PASSWORD);

  if ($link && mysql_select_db(DB_DATABASE))
    return $link;
  return FALSE;
}

?>

Online Catalog

Let take another example: an Online Book Store:

Owasp bsp php 3.jpg



catalog.php:

 
function aGetBookEntry($id) {
  $aBookEntry = NULL;
  $link = iMysqlConnect();

  $query = "SELECT * FROM books WHERE id = $id";
  $result = mysql_query($query);

  if ($result) {
    if ($row = mysql_fetch_array($result)) {
      $aBookEntry = $row;
    }
  }

  return $aBookEntry;

}


$id = $_GET['id'];
$aBookEntry = aGetBookEntry($id);

showBook($aBookEntry);

Basicaly it retrieves id parameter on GET query string and perform the following SQL query:

  • SELECT * FROM book WHERE id = $_GET['id']

As in Login Form no input validation is performed and SQL Query can be manipulated to returns arbitrary data and DBMS stored relations/records/functions as well.

PHP preventing LDAP Injection

References