5 Basic PHP Security Tips

Security should be a top concern throughout the development of any PHP web application. There are some very simple measures you can take to protect your application from potential abuse. This post will cover some of the basics of PHP security.

I do not consider myself a PHP security expert, but these are things that every developer should know. Also keep in mind that security is a process and not a result.

1.Input Filtering

Assume everything is dirty until proven clean. Filtering all data from external sources is probably the most important security measure you can take. This can be as easy as running some simple built-in functions on your variables.

When it comes to accepting user input, never directly use anything in $_GET or $_POST. Check each value to make sure it is something expected and assign it to a local variable for use.

// input filtering examples
Make sure it is an integer
$
/
/integer = intval($_POST['variable_name']);
// Make it safe to use in a URL
riable_name']);
$url_string = urlencode($_POST['v
a

You can also check a value against a list of acceptable values. Here are two methods of doing this:

// input filtering examples
age = 'home'; // initialize the variable
 
$
p
Check input against a white-list of known options
$
/
/valid_options = array();
$valid_options[] = 'home';
bout';
 
if(in_array($_GET['pag
$valid_options[] = 'downloads';
$valid_options[] = '
ae'], $valid_options))
{
$page = $_GET['page'];
}
// OR this also works
$page = $_GET[
switch($_GET['page'])
{
   case 'home':
   case 'downloads':
   case 'about'
:'page'];
      break;
}

PHP as of version 5.2 provides a set of filtering functions designed just for the purpose of filtering user data. The filter_input() function is used to access a filtered version of input variables. This way you never have to touch the raw input via the $_GET or $_POST arrays.

// filter_input examples
Make sure it is an integer
$
/
/integer = filter_input(INPUT_POST, 'variable_name', FILTER_SANITIZE_NUMBER_INT);
// Make it safe to use in a URL
OST, 'variable_name', FILTER_SANITIZE_ENCODED);
 
// Make sure it is a valid URL
$url_string = filter_input(INPUT_
P$url = filter_input(INPUT_POST, 'variable_name', FILTER_VALIDATE_URL);

2.Output Filtering

It is also important to filter what comes out of your applications. You want to avoid outputting the wrong characters and breaking the page rendering. This is also important in order to block certain attacks involving JavaScript injected by malicious users. There are a few functions to know for cleaning up text to display to the user:

• htmlspecialchars(): Converts special HTML characters to entities
• htmlentities(): Converts all possible characters to HTML entities
• strip_tags(): Remove all HTML tags from a string (you can also selectively allow tags using the second optional parameter)

$text = 'Test';
echo htmlspecialchars($text); // <a href="test">Test</a>
echo strip_tags($text); // Test

3.Database Queries

If your application uses a database to store data, this is another source of potential vulnerabilities. SQL Injection is a very common attack that involves maliciously crafted user input designed to change the logic of a query. This potentially allows the user to run any kind of query or bypass security measures. Stopping it is usually as easy as properly escaping data, or using prepared statements.

Escape functions:

• mysql_real_escape_string(): For use with the mysql_* functions
• mysqli::escape_string(): For use with the MySQLi extension/class
• pg_escape_string(): For use with PostgreSQL
• addslashes(): This is a generic escape function to use only if your database engine does not have a specific function

Here is an example using each function:

// $db refers to database connection resource/object
$name = "O'reilly"; // Contains a quote that will break the query
// MySQL via mysql_*
pe_string($name, $db);
 
// MySQL via MySQLi
$safe = mysql_real_esc
a$safe = $db->escape_string($name); // OOP Style
Procedural Style
 
// PostgreSQL
$safe = pg_escape_string($db, $n
$safe = mysqli_real_escape_string($db, $name); /
/ame);
Generic (last resourt)
/
/$safe = addslashes($name);

4.Hide Your Errors

It's never a good idea to show the world your errors. Not only does it make you look bad, it also might give malicious users another clue to help them break your site. You should always have display_errors disabled in a production environment, but continue logging errors with log_errors for your own information.

These PHP configuration directives are suitable for a production server:

display_errors 0

log_errors 1

5.Use Post For Dangerous Actions

There are two common methods used to send data to a PHP application, GET and POST. GET works by adding variables to the end of URL's (eg. http://www.example.com/process.php?action=delete&id=123). POST works by sending variables in the body of the request (normal users will not see them). It is important to carefully consider which method to use for a certain task.

You should generally stick to POST when you are performing a potentially dangerous action (like deleting something). The reason is that is is much easier to trick a user into accessing a URL with GET parameters than it is to trick them into sending a POST request. Take this example:

If a user with an active session on your site visits another web page with the above image tag, the user's browser will quietly send a request to your site telling it to delete record 123.

Keep in mind that other precautions should also be taken to ensure requests are legitimate under a secure session. It is also easily possible to create a form that does the same as above using a POST request, so don't assume that method is "safe" either. See sections 2 and 4 of the PHP Security Guide for more information on form and session security.

Conclusion

This article is just a general overview of PHP security practices. For more detailed explanations if the topics covered here as well as some not covered, see the PHP Security Guide by the PHP Security Consortium. There are also many other articles and books on the topic that you may be interested in.

Of course there may be some that disagree with some of the details in this post. Don't hesitate to post a comment if you have any corrections, improvements, or additions!

Read More

HTML List

HTML provides a simple way to show unordered lists (bullet lists) or ordered lists (numbered lists).

Unordered Lists
An unordered list is a list of items marked with bullets (typically small black circles). An unordered list starts with the <ul> tag. Each list item starts with the <li> tag.

Ordered Lists
An ordered list is also a list of items. The list items are marked with numbers. An ordered list starts with the <ol> tag. Each list item starts with the <li> tag.

Inside a definition-list definition (thr <dd> tag) you can put paragraph, line breaks, image, links, other lists, etc.

Try It Out
Open your text editor and type the following:

<html>
<html>
<head>
<title>My First Webpage</title>
</head>
<body bgcolor="#EDDD9E">
<h1 align="center">My First Webpage</h1>
<p>Welcome to my <strong>first</strong> webpage. I am writing this page using a text editor and plain old html.</p>
<p>By learning html, I'll be able to create web pages like a pro....<br>
which I am of course.</p>
Here's what I've learned:
<ul>
<li>How to use HTML tags</li>
<li>How to use HTML colors</li>
<li>How to create Lists</li>
</ul>
</body>
</html>

Save your page as mypage4.html and view it in your browser. To see how your page should look visit this web page: http://profdevtrain.austincc.edu/html/mypage4.html

Read More

HTML Colors

Color Values
Colors are defined using a hexadecimal notation for the combination of red, green and blue color values (RGB). The lowest value that can be given to one light source is 0 (hex #00). The highest value is 255 (hex #FF). This table shows the result of combinating red, green, and blue :













Color Names
A collection of color names is supported by most browsers. To view a table of color names that are supported by most browsers visit this web page :
http://profdevtrain.austincc.edu/html/color_names.htm


Note: Only 16 color names are supported by the W3C HTML 4.0 standard (aqua, black, blue, fuchsia, gray, green, lime, maroon, navy, olive, purple, red, silver, teal, white, and yellow). For all other colors you should use the Color HEX value.

 Web Safe Colors
A few years ago, when most computers supported only 256 different colors, a list of 216 Web Safe Colors was suggested as a Web standard. The reason for this was that the Microsoft and Mac operating system used 40 different "reserved" fixed system colors (about 20 each). This 216 cross platform web safe color palette was originally created to ensure that all computers would display all colors correctly when running a 256 color palette. To view the 216 Cross Platform Colors visit this web page: http://profdevtrain.austincc.edu/html/216.html


16 Million Different Colors
The combination of Red, Green and Blue values from 0 to 255 gives a total of more than 16 million different colors to play with (256 x 256 x 256). Most modern monitors are capable of displaying at least 16,384 different colors. To assist you in using color schemes, check out http://wellstyled.com/tools/colorscheme2/index-en.html. This site lets you test different color schemes for page backgrounds, text and links.

Read More

HTML Fonts and Backgrounds

HTML Fonts

The <font> tag in HTML is deprecated. The World Wide Web Consortium (W3C) has removed the tag from its recommendations. In future versions of HTML, style sheets (CSS) will be used to define the layout and display properties of HTML elements.

The <font> Tag Should NOT be used.

Backgrounds

Backgrounds

The <body> tag has two attributes where you can specify backgrounds. The background can be a color or an image.

Bgcolor

The bgcolor attribute specifies a background-color for an HTML page. The value of this atrribute can be a hexadecimal number, an RGB value, or a color name :

<body bgcolor="#000000">

<body bgcolor="rgb(0,0,0)">

<body bgcolor="black">

The lines above all set the background-color to black.

Background

The background attribute can also specify a background-image for an HTML page. The value of this attribute is the URL of the image you want to use. If the image is smaller than the browser window, the image will repeat itself until it fills the entire browser window.

<body background="clouds.gif">
<body background="http://profdevtrain.austincc.edu/html/graphics/clouds.gif">

The URL can be elative (as in the first line above) or absolute (as in second line above).

If you want to use a background image, you should keep in mind :

• Will the background image increase the loading time too much?
• Will the background image look good with other images on the page?
• Will the background image look good with the text colors on the page?
• Will the background image look good when it is repeated on the page?
• Will the background image take away the focus from the text?

Note: The bgcolor, background, and the text attributes in the tag are deprecated in the latest versions of HTML (HTML 4 and XHTML). The World Wide Web Consortium (W3C) has removed these attributes from its recommendations. Style sheets (CSS) should be used instead (to define the layout and display properties of HTML elements).

Try It Out!

Open your text editor and type the following text :

<html>
<head>
<title>My First Webpage</title>
</head>
<body background="http://profdevtrain.austincc.edu/html/graphics/clouds.gif" bgcolor="#EDDD9E">
<h1 align="center">My First Webpage</h1>
<p>Welcome to my <strong>first</strong> webpage. I am writing this page using a text editor and plain old html.</p>
<p>By learning html, I'll be able to create webpages like a <del>beginner</del> pro....<br>
which I am of course.</p>
</body>
</html>

Save your page as mypage3.html and view it in your browser. To view how the page should look, visit this web page: http://profdevtrain.austincc.edu/html/mypage3.html

Notice we gave our page a background color as well as a background image. If for some reason the web page is unable to find the picture, it will display our background color.

Read More

Microsoft agrees to buy Skype for $8.5B

By PETER SVENSSON

NEW YORK – Microsoft Corp. said Tuesday that it has agreed to buy the popular Internet telephone service Skype SA for $8.5 billion in the biggest deal in the software maker's 36-year history.

Buying Skype would give Microsoft a potentially valuable communications tool as it tries to become a bigger force on the Internet and in the increasingly important smartphone market.

Microsoft said it will marry Skype's functions to its Xbox game console, Outlook email program and Windows smartphones. The company said it will continue to support Skype on other software platforms.

The sellers include eBay Inc. and private equity firms Silver Lake and Andreessen Horowitz.

About 170 million people log in to Skype's services every month, though not all of them make calls. Skype users made 207 billion minutes of voice and video calls last year.

Most people use Skype's free calling services, which has made it difficult for the service to make money since entrepreneurs Niklas Zennstrom and Janus Friis started the company in 2003. An average of about 8.8 million customers per month, or just over 1 percent of the user base, pay to use Skype services.

Skype lost $7 million on revenue of $860 million last year, according to papers that the company has filed since announcing its intentions last summer to launch an initial public offering of stock. The IPO was later put on hold. Skype's long-term debt, net of cash, was $543,883 at the end of 2010.

The Skype takeover tops Microsoft's biggest previous acquisition — a $6 billion purchase of the online ad service aQuantive in 2007.

Microsoft said Skype will become a new business division headed by Skype CEO Tony Bates, who will report directly to Ballmer.

Although it makes billions from its computer software, Microsoft has been accustomed to losing money on the Internet in a mostly futile attempt to catch up to Google Inc. in the lucrative online search market. Microsoft got so desperate that it made a $47.5 billion bid to buy Yahoo Inc. three years ago, but withdrew the offer after Yahoo balked. Yahoo is now worth about half of what Microsoft offered.

Microsoft would be Skype's second large-company owner. EBay bought Skype for $2.6 billion in 2005, but its attempt to unite the phone service with its online shopping bazaar never worked out. It wound up selling a 70 percent stake in Skype to a group of investors led by private equity firms Silver Lake and Andreessen Horowitz for $2 billion 18 months ago.

Besides eBay, Silver Lake and Andreessen Horowitz, Skype's other major shareholders are Joltid and Canada Pension Plan Investment Board.

Read More

Sony to restore PlayStation Network by end of May

TOKYO – Sony said Tuesday it aims to fully restore its PlayStation Network, shut down after a massive security breach affecting over 100 million online accounts, by the end of May.

Sony also confirmed that personal data from 24.6 million user accounts was stolen in the hacker attack last month. Personal data, including credit card numbers, might have been stolen from another 77 million PlayStation accounts, said Sony Computer Entertainment Inc. spokesman Satoshi Fukuoka.

He said Sony has not received any reports of illegal uses of stolen information, and the company is continuing its probe into the hacker attack. He declined to give details on the investigation.

Sony shut down the PlayStation network, a system that links gamers worldwide in live play, on April 20 after discovering the security breach. The network also allows users to upgrade and download games and other content.

Sony was under heavy criticism over its handling of the network intrusion. The company did not notify consumers of the breach until April 26 even though it began investigating unusual activity on the network since April 19.

Last month, U.S. lawyers filed a lawsuit against Sony on behalf of lead plaintiff Kristopher Johns for negligent protection of personal data and failure to inform players in a timely fashion that their credit card information may have been stolen. The lawsuit seeks class-action status.

Fukuoka declined to comment on the lawsuit.

Read More

Obama heads to Texas to push immigration overhaul

By ERICA WERNER

WASHINGTON – President Barack Obama is making his first trip as president to the U.S.-Mexico border, using the setting to sharpen his call for a remake of the nation's immigration laws and try to cast the GOP as the obstacle standing in its way.

The president's speech in El Paso, Texas, on Tuesday, and his visit to a border crossing there, are the latest high-profile immigration events by Obama, who has also hosted meetings at the White House recently with Latino lawmakers, movie stars and others.

It all comes despite an unfavorable climate on Capitol Hill, where Republicans who control the House have shown no interest in legislation that offers a pathway to citizenship for the nation's 11 million illegal immigrants.

That's led to criticism that Obama's efforts are little more than politics in pursuit of the ever-growing Hispanic electorate ahead of the 2012 election. White House officials dispute that. They acknowledge the difficulties in getting a bill but say it's likelier to happen if the president creates public support for immigration legislation, leading to pressure on Republican lawmakers.

"We already know from the first two years, the last Congress, that there was political opposition to comprehensive immigration reform, including from some places where there used to be political support," said presidential spokesman Jay Carney. "We are endeavoring to change that dynamic by rallying public support, by raising public awareness about the need for comprehensive immigration reform."

At the same time, the strategy allows Obama to highlight that Republicans are standing in the way of an immigration bill — shifting responsibility away from himself at a time when many Latino activists say he never made good on his campaign promise of prioritizing immigration legislation early on.

Obama's spotty immigration record in the eyes of Latino voters makes it all the more politically imperative for him to shore up their support with his re-election campaign approaching.

"What's different from 2008 is that there are more Hispanics and more millennials in the electorate overall. Latinos are even a bigger share than they were in 2008," said Simon Rosenberg, a former Clinton White House strategist who follows immigration policy as head of the left-of-center NDN think tank. "Millennials" is a term for people born after 1980.

More Latinos than ever voted in the 2010 midterm elections, according to the Pew Hispanic Center, accounting for almost 7 percent of those voting. Still, turnout among Hispanic voters is far lower than among other groups, giving Obama a reason to want to try to motivate them. He's picked hostile political territory to make his pitch, visiting a state he lost by more than 10 percentage points in 2008. But the trip does have one overtly political upside: Obama plans a side trip to the relatively liberal bastion of Austin to raise money for the Democratic National Committee at two fundraisers Tuesday night.

At the same time, Obama is pitching his immigration argument to the larger public, and he's refining it in a way that goes to Americans' pocketbook concerns. White House officials say Obama will emphasize the economic value of reforming immigration laws, noting that immigrants account for a substantial share of business start-ups and patent applications, among other things — activities that create jobs for everyone.

It's a different approach than talking about immigration as a security issue or a moral one, and also provides a counter to the Republican argument that illegal immigrants drain U.S. resources.

The president will also argue that his administration has made great strides on border security. Administration officials boast of increasing the number of agents on the border, seizing more contraband and nearing completion of a border fence, and say they plan to extend the deployment of National Guard troops Obama sent to the border. To Republicans who say that immigration overhaul legislation shouldn't happen until the border is secure, the White House now says it's as secure as it's ever been and the conversation on legislation needs to happen.

Republicans aren't buying it.

"It seems President Obama has once again put on his campaigner-in-chief hat. The president's push to legalize millions of illegal immigrants is purely political," said Rep. Lamar Smith, R-Texas, chairman of the House Judiciary Committee. "And even though administration officials like to pretend the border is secure, the reality is that it isn't."

Brendan Buck, spokesman for House Speaker John Boehner, R-Ohio, said that House Republicans had no plans to take up immigration legislation and argued that if Obama were serious about immigration reform he would have reached out to Boehner on the issue, which Buck said he hasn't.

The White House says Obama will push Tuesday for legislation and release a blueprint on his approach to reform, but without setting out any timeline. Indeed, getting immigration reform done any time soon is not realistic. Obama wasn't even able to get legislation through Congress last year that would have provided a route to legal status for college students and others who were brought to the country as children. The so-called DREAM Act passed the House, then controlled by Democrats, but was blocked by Senate Republicans.

The Senate is now even more heavily Republican, and Republicans control the House. That means immigration reform can't happen unless they cooperate.

But for Obama, if the public's aware of that, it's a political win — even if Republicans don't budge.

___(equals)

Associated Press writers Suzanne Gamboa and Jim Kuhnhenn contributed to this story.

Read More