Menu
Community /Pin to ProfileBookmark
@NogDogSep 26.2007 — #Can you define what you mean by "PHP injection"? Are you talking about user-uploaded files that contain PHP code, or what? @NogDogSep 26.2007 — #As far as I know, the only way a hacker could get a PHP script to run on your site would be to actually put a PHP file on your site. This would mean that either they cracked your site's login and/or FTP user-name and password, or that they were able to upload a file via some existing script on your site. The former must be dealt with by using strong passwords and keeping them private, and possibly also by other site security measures such as restricting what IP address(es) can log in to your site, disabling login accounts after X number of failed login attempts, etc.
As far as files being uploaded via file upload pages on your site, you need to ensure that no uploaded file can be executed as a PHP page (or other server-side script or CGI page). One way would be to always save uploaded files to a directory outside of your web document root directory hierarchy, then providing a PHP script to serve that file. Alternatively, you could save it to a web directory and make sure that it does not have any file suffix that would cause the web server to send it to the PHP parser (ie: not ".php", ".php3", or any other suffix your site treats as a PHP file). @NogDogSep 26.2007 — #
Good point.
What I normally do is use the basename() function to just get the filename with no directory info:
Then I can use the value of $file with the desired directory path with confidence that it will only look for that file name in the directory I specify in my script.@NogDogSep 26.2007 — #$_REQUEST is just an ambiguous way of accessing user-supplied data. It is a super-set of $_GET, $_POST, and $_COOKIE super-global arrays, with duplicate indexes amongst those sources being resolved according to the [url=http://www.php.net/manual/en/ini.core.php#ini.variables-order]variables_order[/url] configuration parameter. Your scripts will be more robust if you use the specific super-global array based on the expected data source rather than the general $_REQUEST array.
But in any case, you can use [b]basename($_REQUEST['page'])[/b] to get just the name without any path info just as you could with $_GET.
Preventing PHP injection
Does anyone know what the best way is to prevent php injection on a website? I’ve seen a few possibilities, such as using a validation token, using a regular expression in a while loop, but not sure which one to go with. Any help would be much appreciated and possibly some sample code to go with it so i can get a better idea
Sign in
to post a comment14 Comments(s) ↴
0
@NogDogSep 26.2007 — #0
@NogDogSep 26.2007 — #As far as files being uploaded via file upload pages on your site, you need to ensure that no uploaded file can be executed as a PHP page (or other server-side script or CGI page). One way would be to always save uploaded files to a directory outside of your web document root directory hierarchy, then providing a PHP script to serve that file. Alternatively, you could save it to a web directory and make sure that it does not have any file suffix that would cause the web server to send it to the PHP parser (ie: not ".php", ".php3", or any other suffix your site treats as a PHP file).
0
@NogDogSep 26.2007 — #Ah, I think you mean by changing GET variables in the URL, right? Specifically those that are used in includes? So for example, you have $_GET['page'], and later on in the script, you run something like include($_GET['page'].'.php');, and theoretically, a user could enter a URL in the GET variable, to make it include something possibly malicious.
Well, to prevent this, I'd do something like this for your variable:
[code=php]$_GET['page'] = str_replace(array('.', '/'), '', $_GET['page']);[/code]
Of course, you will need to change $_GET['page'] to whatever your variable is.
Or, if you want to do it for all GET variables, do the following:
[code=php]
foreach($_GET as $var => $val) {
$_GET[$var] = str_replace(array('.', '/'), '', $_GET[$var]);
}
[/code]
This will remove any dots or slashes from the variable, meaning that no URLs will work as the 'hacker' would want them to.[/QUOTE]
Good point.
What I normally do is use the basename() function to just get the filename with no directory info:
[code=php]
$file = basename($_GET['file']);
[/code]Then I can use the value of $file with the desired directory path with confidence that it will only look for that file name in the directory I specify in my script.
0
@NogDogSep 26.2007 — #$_REQUEST is just an ambiguous way of accessing user-supplied data. It is a super-set of $_GET, $_POST, and $_COOKIE super-global arrays, with duplicate indexes amongst those sources being resolved according to the But in any case, you can use [b]basename($_REQUEST['page'])[/b] to get just the name without any path info just as you could with $_GET.