_GET and getenv security

AndrewPHP

I have a small PhP script at my site that performs services for another (remote) program. It is important that this Php script operate securely, and it's my first PhP progarm, so I have some questions. These are probably basic but I could not find information in the PhP documents about this so I'd appreciate some help.

The PhP script uses GET (say, GET['myvar']). Is it possible for someone to construct a value of myvar that could cause security problems unless I specifically guard against these problems? If so, how do I guard against them -- is using htmlspecialchars sufficient?

Also, I am using getenv('REMOTE_ADDR') to verify that the remote program comes from the place I think it does. (This is just one of many security steps -- I am not relying on this alone, of course.) Does using getenv in this way introduce any security problems?

Finally, is this an appropriate place to post the script itself, in order to get feedback from experts?

Andrew

mcrbids

"Secure" isn't a yes or no proposition. It's relative. Just like your house - you lock the door, but really - COULD somebody with a crowbar get in fairly easily through the window?

There are numerous articles written on how to use PHP. Given its open nature and its power, PHP is notoriously difficult to run truly securely.

Typically, it's slightly better to use POST rather than GET since a GET style form can be copied off the URL bar, saved as a bookmark, or emailed with little inconvenience.

Also, if it really must be secure, don't hesitate to set up SSL. Certs can be had for $50 and most ISPs will only charge about that much to set you up.

Then too, what about security of the server? Are there other users on the system that have the right permissions to read your scripts, logins, password files, etc? Are all relevant security patches applied routinely to your server?

Who can connect to your database? Are your passwords in plaintext, or are they encrypted with MD5 or something similar?

REMOTE_ADDR can be spoofed, though , circumstances depending, it can be difficult. Depends on how rigid you are about its use and your network topology.

If you want to secure your stuff, be careful not to pidgeonhole yourself in a certain way of thinking - the nature and breadth of attacks and compromises can be nothing short of stunning.

It's up to you to evaluate how much security is secure enough and plan accordingly. Remember that security is about restricting, and too much security renders a product useless.

AndrewPHP

I know that. I am interested in the specific things I asked about.

laserlight

Well, on the line of what mcrbids wrote, you probably should pick up a book on web/internet security.

As for the specifics:

Is it possible for someone to construct a value of myvar that could cause security problems unless I specifically guard against these problems? If so, how do I guard against them -- is using htmlspecialchars sufficient?

Yes, e.g. if this variable is used in an SQL query, it might be possible to perform SQL injection.
If magic_quotes_gpc is not set to 1, you might have to use addslashes() on such incoming variables.
htmlspecialchars() can help prevent cross site scripting, or malicious code injection, so yes you should use it where appropriate.

Other forms of data validation, e.g. type checking, size limitation etc, can also be performed.

I am using getenv('REMOTE_ADDR') to verify that the remote program comes from the place I think it does.

If well implemented, it probably doesnt introduce security problems by itself.
However, the result of $_SERVER['REMOTE_ADDR'] (which should be what you get) cannot be entirely trusted since it may be spoofed, as mentioned by mcrbids.

AndrewPHP

Thanks laserlight, that is helpful.

Yes, e.g. if this variable is used in an SQL query, it might be possible to perform SQL injection. If magic_quotes_gpc is not set to 1, you might have to use addslashes() on such incoming variables. htmlspecialchars() can help prevent cross site scripting, or malicious code injection, so yes you should use it where appropriate.

Other forms of data validation, e.g. type checking, size limitation etc, can also be performed.

Is using htmlspecialchars() sufficient to prevent html injection attacks? The only input (that I know of) is from the $_GET['myvar'] and possibly the getenv('REMOTE_ADDR'). I am doing some validation to prevent some SQL injection attacks. I don't know if it prevents them all.

If well implemented, it probably doesnt introduce security problems by itself.
However, the result of $_SERVER['REMOTE_ADDR'] (which should be what you get) cannot be entirely trusted since it may be spoofed, as mentioned by mcrbids.

1. I had not been planning to validate information returned from getenv() but based on these comments I will do validation now.

The wording in your reply is a bit ambiguous -- are you saying that it is better to use $_SERVER['REMOTE_ADDR'] than getenv('REMOTE_ADDR')?

laserlight

they should be the same.

I am not sure exactly how you would validate against spoofed IPs though.

superwormy

You should always check your variable for type or cast them as well.

If you're expecting and integer, cast it to an integer ( $GET['myvar'] = ( integer ) $GET['myvar']; ) or check if is_numeric() or something similar. Make sure that the variables are always there too, check to see if isset ($_GET['myvar']);

$_SERVER['REMOTE_ADDR'] and getenv ('REMOTE_ADDR'] should return the same thing.

You can validate the IP address is at least in a valid form by using regular expressions.