PHP Security: Growth Inhibitor?

PHP Security is like manure, if you only do it in one spot – it stinks, but if you spread it around, it will grow wonderful things.

When I used to hear about different php packages being compromised (see netcraft.com regarding phpBB for instance) I would immediately brush it off as a fluke or the work of some nerd with WAY too much time on his/her hands who was instigating trouble. Sometimes that profile fits. Sometimes not. Sometimes the hacker doesn’t do any harm, they are just using the exploit as a jumping off point to do damage to other sites. Sometimes that have truly malice intent.

I also thought that the only things being hacked were extremely high profile open source products or Microsoft products. Bear with me, my naivety worstens. Then I thought it might only happen to eCommerce sites.

Dead Wrong.

Someone hacked my personal website (a few years ago, and which is no longer running) just because I had cool movie quotes on it. Seriously, when you look at the server logs, it was simply an attack on a php page that I wrote in my early days of learning PHP and they completely overloaded the server. They exploited one little page to bring down an entire shared hosting environment. And all because of one little security bug I overlooked to make life easier while I was writing the code…in this case: register_globals on

The moral of the story, if there is one, is don’t think your scripts are safe just because they are only used on one little page on a site that hasn’t peak 1000 hits a year. You are vulnerable. And you may luck out, and the bad guys may never find out…but what if they do…

Be secure in all your form processing, variable loading, sql using and watch your website grow.

PHP Quickie

So you want to validate inputs, eh? If you said, “No”, think again.� Well here is a little tip for you. If you are passing in any kind of number that you use as an index in a table, you better do something like this:

$val = strval(intval($_GET['val']));

“Why?” you ask?

The reason is simple (and I don’t think I am giving away any hacking secrets here) – If you are going to use this number to retrieve a value in a query, ie "SELECT something FROM table WHERE ref = " . $_GET['val'], someone could easily – and I mean EASILY do a bait and switch like this…

If you are expecting $_GET['val'] = "1", they could put $_GET['val'] = "1; DELETE FROM table;"

Unclear? The way they can do this is simply this:

http://www.yoursite.com/index.php?val=1

VS.

http://www.yoursite.com/index.php?val=1;DELETE FROM table

Do you see how easy that was? They just cleared out your table and you didn’t even have a chance. They terminated your query, and ran another one right under your nose. And you will not have a record of it except the apache logs showing the GET string. If they couldn’t figure out the table’s name, it might take a while, and you might catch them, but why take the chance?