PHP and security

postitnote100

I have several questions regarding PHP and security. If you have knowledge of or a link to an article that addresses one or more of my questions below, please post. I'm sure I'm not the only one on this forum that could benefit from answers to these questions

Thanks.

I know that when someone is browsing my site and they access a file with php code, the code is not visible when they look at the source. However, is it possible for someone to download files (via mass file downloading software or by other means) in their entirety and then open them and look at the code?
What is the difference in security between a file in the cgi-bin and one in another folder?
Should I have mysql login information contained in the php code of any old php script, or should I keep it in one file (maybe located in the cgi-bin?) and then include it in my other files?
I pass my variables between scripts like so: www.example.com/script.php?user=tommy
This makes me nervous because the information is visible to the person browsing. Should this make me nervous? Is there a more secure/better way to pass data? Should I be encrypting the data before I pass it like this?
I'm creating a website that has a login system that will allow different users to access different personalized sections of the website. To do this, I'm using session variables and mysql. How secure are session variables? Are there any good practice rules I should follow? Is there a better way to implement this than session variables and mysql? .htaccess is no good - it would require users to login several times and they wouldn't be able to change their passwords.
How secure is md5()? I understand that it is not encryption per se, but for authentification. Is it robust enough for security or should I just look at it as a tool of convenience. For example, I currently store the md5() output of users passwords in a mysql table instead of their passwords. This is convenient because I can browse the table without learning their passwords. However, can I rely on md5() to protect the passwords from a hacker or someone with more knowledge than I have?
Is there an built-in encryption function in php that lets me set the seed? Are there other commands/functions in php that are useful for security?
What are common exploits in php and how do I protect against them?
Is there anything else I should know about php and security?

drew010

1. I know that when someone is browsing my site and they access a file with php code, the code is not visible when they look at the source. However, is it possible for someone to download files (via mass file downloading software or by other means) in their entirety and then open them and look at the code?

the reason they cant see the php code, is because it is parsed by the server and then the output is sent from the webserver back to the client. the only way they would be able to get the actual php code would be if they gained ftp or shell access to your website, or if your server became misconfigured for some reason and .php files were no longer parsed as php. (in apache see httpd.conf, you'll find a link AddType application/x-httpd-php .php)
Basically any http request made for a .php file no matter if its from a browser or a custom program, the php code is parsed server side, and unattainable by the remote user.

2. What is the difference in security between a file in the cgi-bin and one in another folder?

these days there really isnt too much of a difference between the cgi-bin and any other folder. years ago, if you wanted to execute a program on a webserver from the browser, usually a perl or compiled c program, it could only be executed if inside the cgi-bin due to security. now most configurations allow these kinds of scripts to be identified by their extensions, i.e. script.cgi is identified as a cgi script and is executed by the server. before this, it couldnt be run unless in the cgi-bin. so to answer this, there is really no difference in security now.
also a note with php. one of the nice things about it, is that its run by the webserver, and not as an external program like perl scripts were. this is why php scripts dont need a permission level of something like 755. so php scripts wouldnt have to be located in the cgi-bin, even all those years ago when files couldnt be executed outside of it.

3. Should I have mysql login information contained in the php code of any old php script, or should I keep it in one file (maybe located in the cgi-bin?) and then include it in my other files?

depending on how many places its used, it may be easiest to keep it in one config type file and include it. if you have the username and password hardcoded into 15 files, changing the details becomes a hassle.

4. I pass my variables between scripts like so: www.example.com/script.php?user=tommy
This makes me nervous because the information is visible to the person browsing. Should this make me nervous? Is there a more secure/better way to pass data? Should I be encrypting the data before I pass it like this?

passing values via the query string is common, even notice the forum does it for the thread id. just be careful what you are passing, and always extensively check the value you are getting since its so easy for a user to mess with it. one common thing to read about on this topic is sql injections and xss attacks.

5. I'm creating a website that has a login system that will allow different users to access different personalized sections of the website. To do this, I'm using session variables and mysql. How secure are session variables? Are there any good practice rules I should follow? Is there a better way to implement this than session variables and mysql? .htaccess is no good - it would require users to login several times and they wouldn't be able to change their passwords.

sessions are very secure, at least in the fact that the values of the variables are stored on the server and not on the users computer. the one downside of sessions, is that if anyone gets a hold of another persons session id, they can easily take over the session. the session id is either passed via get/post, or if the client uses cookies, and session cookies are enabled, the session id is sent in a cookie.

6. How secure is md5()? I understand that it is not encryption per se, but for authentification. Is it robust enough for security or should I just look at it as a tool of convenience. For example, I currently store the md5() output of users passwords in a mysql table instead of their passwords. This is convenient because I can browse the table without learning their passwords. However, can I rely on md5() to protect the passwords from a hacker or someone with more knowledge than I have?

you are right, md5 is not encryption, it is a one way hash algorithm that will always result in the same output given the same input. this makes it handy for storing passwords in a database which you can just hash the input password and compare to whats stored.
recently faster ways to acheive collisions were discovered in the algorithm, but for any person to be able to do anything with that, would require they be very very advanced in math and have powerful computers, as now i beleive the new time they can generate a collision at is like 2⁶⁹ which is still extremely large and unfeasable, just faster than was previously known. you will want to make sure your users are using secure passwords however. they should be at least 8 characters long consisting of letters AND numbers. there are sites that store databases of md5 hashes. (see http://passcracking.com/) <-- they have all hashes of a-z0-9 from length 1-8. for this reason, the php function sha1 is better.

7. Is there an built-in encryption function in php that lets me set the seed? Are there other commands/functions in php that are useful for security?

php has a popular extension called mcrypt which is an encryption library supporting many algorithms where you can use your own encryption key in ecb mode. www.php.net/mcrypt

8. What are common exploits in php and how do I protect against them?

id say most exploits come from insecure coding, rather than existing in php itself, however you should always keep php up to date and keep track of what they fix in the new releases.
but in my experience, the most common exploit in php would be remotely including files via the url. lots of sites do things like index.php?page=about and in the php code they take that value, unchecked and include a file. this allows me to do index.php?page=http://mysite.com/badscript and badscript is included and executed on their page, allowing me to view the source of the files and get database passwords and things, even have the potential to make new files and delete existing ones.

9. Is there anything else I should know about php and security?

some good reading at http://phpsec.org/

hope i provided some good answers. let me know if i can expand on anything

postitnote100

Thanks Drew! Very helpful.

justsomeone

postitnote100 wrote:
4. I pass my variables between scripts like so: www.example.com/script.php?user=tommy
This makes me nervous because the information is visible to the person browsing. Should this make me nervous? Is there a more secure/better way to pass data? Should I be encrypting the data before I pass it like this?

Just a little extra to add to drew101's detailed answers.

You're generally safe enough to pass information like this, but you should only ever pass as much info as you need to.

If you really want to go mad on the security there are some more complicated things you can do with your name value pairs. It takes a good bit more design, but will help you out.

Let's say you have a login form. You could just send the username and password (let's say "justsomeone" and "mypassword") in plain text. Anyone sniffing the line could intercept them.

Alternatively, you could use javascript to md5() the username and/or password before you send it. This will prevent a hacker from discovering your username and password, but doesn't push the security a whole lot further, as they could now just use the md5'd values instead. ie the values of md5("justsomeone") and md5("mypassword").

But what's much more secure is to use PHP to insert a key value into the javascript. This key value could then be prepended to the username and password before md5ing them and sending them to the form. If we take an example key value of "16tg7", then the values passed by the login form are m5d("16tg7justsomeone") and md5("16tg7mypassword").

If you generate a different key value for every instance of the form, and keep track of which instance is which, then anyone who intercepts the values will be unable to use them later. It's all very safe, and controlled by the server.

I've tinkered with this idea in the past and have been very happy with it. I may offer it to the public domain at some point, if I ever get it polished enough.

All of these things come at a performance cost, take longer to develop and can be more complicated to maintain. Ultimately for every application, you have to decide how secure you want it to be.

I don't have the same level of security on my garden shed as I do on my house. And the security in my house isn't much compared to what you'd see in a bank. It's all down to finding the most appropriate solution for each application.

Weedpacket

I thought I'd just chunk in a couple more links
http://www.owasp.org/
http://www.sklar.com/page/article/owasp-top-ten

JCirri

In response to justsomeone, this sounds like an interesting idea. But how could PHP insert a key into the javascript. The form is rendered in the client's browser, the client enters his username/password, then javascript calculates md5(username) and md5(password) which gets sent to the server. But PHP, on the server-side, does not have access to "username" or "password" to append or prepend a key. This could be done through javascript processing, but then the user has access to the key and it's pointless. So how could this work?