The mysqli_real_escape_string() function escapes special characters in a string for use in an SQL statement
Category Archives: PHP
Cross Site Request Forgeries
• A request generated from a user’s browser without the user’s knowledge
• Relies on web site trust of logged-in users
• An attack involves tricking a user into transmitting ‘bad’ html with a request, which then returns sensitive data to the attacker
• Executed via iframes, xmlhttprequest calls or embedded in tags such as <script>, <object>, <embed>, <img>, …
Example
<form name="myForm"> <input type="hidden" name="item_id" value="123" /> <input type="hidden" name="quantity" value="1" /> </form> <script>document.forms['myForm'].submit();</script>
Counter Measures
• Use a unique form token in a hidden input field to verify the request
• Require re-login before sensitive operations (ex: financial)
Session Security
Counter Measures
• Regenerate the session id upon login, before authentication, using session_regenerate_id(true). passing boolean true removes the old session and is critical as a counter measure
• Also, regenerate session id prior to “critical” operations
• Use ssl encryption for the login, or assign a hidden key (not as good)
• Check that the ip address remains the same (although not always reliable)
• Use short session timeout
• Provide user logout
• Destroy an old and create a new session with: session_regenerate_id(true)
• Set php configuration directive session.use_only_cookies = 1
• Prevent javascript access to session cookie with php configuration directive session.cookie_httponly = 1
cgi.force_redirect
The configuration directive cgi.force_redirect prevents anyone from calling PHP directly with a URL like http://my.host/cgi-bin/php/secretdir/script.php. Instead, PHP will only parse in this mode if it has gone through a web server redirect rule. PHP older than 4.2.0 used –enable-force-cgi-redirect compile time option for this.
Usually the redirection in the Apache configuration is done with the following directives:
Action php-script /cgi-bin/php AddHandler php-script .php
This option has only been tested with the Apache web server, and relies on Apache to set the non-standard CGI environment variable REDIRECT_STATUS on redirected requests. If your web server does not support any way of telling if the request is direct or redirected, you cannot use this option and you must use one of the other ways of running the CGI version.
session_regenerate_id
session_regenerate_id — Update the current session id with a newly generated one
session_regenerate_id() will replace the current session id with a new one, and keep the current session information.
When session.use_trans_sid is enabled, output must be started after session_regenerate_id() call. Otherwise, old session ID is used.
Example
<?php
session_start();
if (isset($_SESSION['destroyed'])
&& $_SESSION['destroyed'] < time() - 300) {
remove_all_authentication_flag_from_active_sessions($_SESSION['userid']);
throw(new DestroyedSessionAccessException);
}
$old_sessionid = session_id();
$_SESSION['destroyed'] = time();
session_regenerate_id();
unset($_SESSION['destroyed']);
$new_sessionid = session_id();
echo "Old Session: $old_sessionid<br />";
echo "New Session: $new_sessionid<br />";
print_r($_SESSION);
?>
Object Cloning
Creating a copy of an object with fully replicated properties is not always the wanted behavior. A good example of the need for copy constructors, is if you have an object which represents a GTK window and the object holds the resource of this GTK window, when you create a duplicate you might want to create a new window with the same properties and have the new object hold the resource of the new window. Another example is if your object holds a reference to another object which it uses and when you replicate the parent object you want to create a new instance of this other object so that the replica has its own separate copy.
An object copy is created by using the clone keyword (which calls the object’s __clone() method if possible). An object’s __clone() method cannot be called directly.
$copy_of_object = clone $object;
When an object is cloned, PHP 5 will perform a shallow copy of all of the object’s properties. Any properties that are references to other variables will remain references.
__toString
The __toString() method allows a class to decide how it will react when it is treated like a string. For example, what echo $obj; will print. This method must return a string, as otherwise a fatal E_RECOVERABLE_ERROR level error is emitted.
Converting objects to strings
The magic method __tostring() is called, if available o
Includes print, string interpolation, operation with strings, calling functions that expect strings, …
Example
<?php
class TestClass{
public $foo;
public function __construct($foo){
$this->foo = $foo;
}
public function __toString(){
return $this->foo;
}
}
$class = new TestClass('Hello');
echo $class;
?>
Closures
Anonymous functions, implemented in PHP 5.3, yield objects of this type. This fact used to be considered an implementation detail, but it can now be relied upon. Starting with PHP 5.4, this class has methods that allow further control of the anonymous function after it has been created.
• Enable creation of functions without specifying a name
• Implemented using the closure class
• Commonly used as param value for callback functions, or alternatively as variable values
• To inherit variables from parent scope (function in which closure was declared), these variables must be declared in the function header with the “USE” keyword, or passing parameters in the call line
• new closure TYPE HINT
File Wrappers
o Provide information on protocols and encodings
can be any file wrapper
allows for two pipelines at most – for reading & writing
o Prefix in front of a file path
file:// php://
http:// compress.zlib://
https:// compress.bzip2://
ftp:// ftps://
o Custom Wrappers
stream_wrapper_register(protocol, classname)
Registers a protocol; implementation is part of the class.
the class implements standard functionality like reading, writing, or changing the file position
php_user_filter is a predefined class in php and is used in conjunction with user-defined filters
stream_context_set_params
stream_context_set_params — Set parameters for a stream/wrapper/context