144 Chapter 4 Web Application Concepts Bringing data
Security Considerations 145 the cookie information and send it to the attacker s Web site, where he or she waits for incoming session IDs, takes over the other users sessions, and buys some nice gifts for the folks at phpWizard.net. While we re good at making up stories,this could have really happened:Amazon s product search engine didn t properly encode tags until two days after a related security advisory from the CERT was released, which can be found at www.cert.org/advisories/CA-2000-02.html. Even if you keep all this advice in mind and check all user-supplied variables, it s very easy to make the wrong checks. For some applications, for example, it s desirable to allow certain HTML tags in data. One of these tags is the
tag, which allows formatting text in paragraphs. It can take an align attribute, which specifies the paragraph s alignment.To match this opening tag,on a first try you could use the regular expression
tag and execute malicious code again. The first step is to understand that all these threats taken together result in a very ugly picture.You have to be really careful if you want to avoid all traps.This is also the main reason we recommend having dedicated security consultants in an application- development team. Some very general hints and guidelines to minimize these risks: n Use sessions instead of passing data from page to page on the client. n Validate all data from user space; this may include encoding or replacing the less-than sign (<), the greater-than sign (>), and the ampersand (&), and paying special attention to double quotes ( ), single quotes ( ), and whitespace, at least in tag attributes and attribute values. n Make sure that your application operates in a trusted environment. n Pay special attention to PHP s variable order (see the next section). PHP s Variable Order You know that PHP automatically makes available all GET and POST variables in the global namespace. Did you know that you can turn off this feature in PHP 4.0? Although the automatic introduction of all variables is one of the features that make PHP so easy for novice users, it can be problematic in larger and more complex applications. If you access user-passed variables from the global namespace, you can t be sure where they really come from: Is it GET, POST, or cookies? If you don t care about variable order, you accept that any user can call your script using either GET or POST. If not a security issue, this is at least bad style you should be able to choose how the data is delivered to your application. Of course, PHP provides a method to access variables from a specific namespace: If track_vars is enabled in
Note: If you are looking for good and high quality web space to host and run your application check Lunarwebhost PHP MySQL Web Hosting services