• One of two fundamental security rules: (1) filter and validate all input; (2) escape output
• Always escape outside data unless previously filtered
• Typical output formats that require escaping when containing user data: html, json, sql
• Never rely on client side (javascript) filtering
• Functions used to escape data before outputting within html: htmlspecialchars() htmlentities() strip_tags()
The PHP option allow_url_include normally allows a programmer to include() a remote file (as PHP code) using a URL rather than a local file path. For security reasons, this feature should be disabled. If a script claims to require this feature, you should look into alternative software, as the use of this feature indicates serious design flaws.
There are a number of reasons why URL includes should always be avoided:
It’s insecure – if your application can be tricked into including content from a URL outside itself (and there are a number of common ways this can happen), an attacker can force your application to start running code from their own web site.
It’s inefficient – if your PHP script includes content from a URL, then the web server must make HTTP requests to generate the page. This makes your page load much slower than necessary, especially if the site you’re loading content from is responding slowly.
It’s unreliable, for the same reasons – if the web server you are loading content from occasionally fails to respond, your web site also sometimes fails to load properly.
It’s usually unnecessary – in most cases, allow_url_include can be avoided either by including the content directly (if it is being loaded from a domain you host) or by loading and printing the content without evaluating it as PHP.
Remote code injections attempt to run the attacker’s code on a server, often by exploiting the functionality of the include or require functions.
The eval(), exec(), system(), and shell_exec() functions are vulnerable to remote code injections.
Include / Require attacks occur when including and executing files (possible from remote servers and includes remote code execution)
Counter Measures
• Check data against a whitelist
• Remove paths using basename()
• Set allow_url_include = off in php.ini that helps somewhat but not sufficient, as some attack vectors remain open
The mysqli_real_escape_string() function escapes special characters in a string for use in an SQL statement
SQL injection is a technique often used to attack databases through a website. This is done by including portions of SQL statements in a web form entry field in an attempt to get the website to pass a newly formed rogue SQL command to the database (e.g. dump the database contents to the attacker). SQL injection is a code injection technique that exploits a security vulnerability in a website’s software. The vulnerability happens when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and unexpectedly executed. SQL commands are thus injected from the web form into the database of an application (like queries) to change the database content or dump the database information like credit card or passwords to the attacker. SQL injection is mostly known as an attack vector for websites but can be used to attack any type of SQL database.
• SQL code is injected into the sql query
• Allows attacker to do almost anything the database user is permitted
• Example sql statement will return all the data from the ‘users’ table:
$sql = "SELECT * FROM users WHERE username='$user' AND password='$pass'"; $user and $pass contain the value ' OR 1=1"
• Further attack possibilities: insert data, delete data, read data, denial of service…
Counter Measures
• Use prepared statements when supported by the database
• Use database-specific escaping functions when creating the sql statement ex: mysqli_real_escape_string()
• Addslashes() is not a sufficient approach