ggrot - 8:00 am on Dec 9, 2002 (gmt 0) 1) The include function works with remote urls. If for any reason you have an include function with a variable parameter, be confident that no user can get that variable to become a url. If they can, they can run arbitrary code on your server with whatever permissions your PHP script has.
I don't think I've seen this here before, so I thought I'd drop a short list of common PHP security mistakes made frequently:
2) Confirm your variable inputs. Remember that a malicious user can change any input to anything (number, string, etc). Many sites have some type of user login (username password) and they check it against a database of usernames and passwords with a mysql query like this:
"SELECT COUNT(*) FROM USERLIST WHERE USER='$user' AND PASS='$password'";
If the result is 0, the login fails, if the result is 1, the login passes. What would happen if $user contained "admin';#"'. The query would now read
"SELECT COUNT(*) FROM USERLIST WHERE USER='admin';# AND PASS='$password'";
The semicolon denotes the end of a query, and the # means the rest of the line is a comment. Thus, it doesn't matter what password was entered, the query returns 1 row - access granted. Worse yet, what if user contained the string "';DROP DATABASE db" (all data deleted). The easy way to prevent this is to use the addslashes function to prevent strings from breaking out of the query and doing damage.
3) Check numbers too. Especially in queries since they are not generally placed within quote marks, addslashes wont work. You can check numbers with the is_numeric function.
4) File uploads. When a user uploads a file in PHP, it places a copy of the file in a temporary location and gives you a variable that stores the path to that file. Unfortunately, a malicious user can simply send that path variable as part of the input set and not upload a file at all. The path to this file could be the path to the unix password file or some other sensitive information. Depending on what you do with these files (ie: allow the user to view them), there is a major security risk. You can protect against this by checking the path with the function is_uploaded_file.
5) As always, if you run the server, keep up to date with the latest patches for PHP.
1) The include function works with remote urls. If for any reason you have an include function with a variable parameter, be confident that no user can get that variable to become a url. If they can, they can run arbitrary code on your server with whatever permissions your PHP script has.