Security Flashcards
When invoked as a CGI binary, PHP refuses to…
…interpret the command line arguments.
What are the following runtime configuration directives: cgi.force_redirect, doc_root, user_dir?
cgi.force_redirect – provides security running PHP as a CGI under most web servers. Left undefined, PHP turns this on by default.
doc_root – PHP’s root directory on the server. Only used if non-empty. If PHP is configured with safe mode, no files outside this directory are served.
user_dir – the base name of a directory used on a user’s home directory for PHP files, for example public_html.
What is –enable-force-cgi-redirect for?
It enables the security check for internal server redirects. You should use this if you are running the CGI version of Apache. As of PHP 5.3, this argument is enabled by default and no longer exists.
What does cgi.force_redirect do?
It’s a configuration directive that prevents anyone from calling PHP directly. Instead, PHP will only parse in this mode if it has gone through a web server redirect rule.
What are three ways to set the PHP script document root?
- The configuration directive doc_root in the config file
- Set the environment variable PHP_DOCUMENT_ROOT.
- Set user_dir.
user_dir expansion happens regardless of the doc_root setting, so you can control the document root and user directory access separately.
What is open_basedir for?
It’s a configuration directive used for limiting the files that can be accessed by PHP to the specified directory-tree, including the file itself. This directive is unaffected by safe mode.
When a script tries to access the filesystem, for example, using include or fopen, the location of the file is checked. When the file is outside the specified directory-tree, PHP will refuse to access it. All symbolic links are resolved, so it’s not possible to avoid this restriction with a symlink.
What are 6 things you can do to prevent SQL injection?
- Never connect to the database as superuser. Use a limited privileges user.
- Use prepared statements with bound variables, such as those provided by PDO, MySQLi, and by other libraries.
- Check if the given input has the expected data type
- If the application takes numerical input, verify it with ctype_digit(), change its type with settype(), or use its numeric representation with sprintf().
- If the database layer doesn’t support binding variables, then quote values with the database-specific string escape function.
- Do not print out any database-specific information.
What would you set error reporting to to test your code?
E_ALL
How can you turn off error displays completely?
Either set error_reporting() to 0, or use display_errors in php.ini. You can also then define the path to your log file using the error_log ini directive, and turn log_errors on.
What is $_REQUEST a mix of?
$_GET, $_POST, and $_COOKIE.
Are magic quotes available in PHP?
Deprecated in 5.3 and removed in 5.4.
What are some ways to hide PHP?
- Set expose_php to ‘off’ in php.ini.
- Use apache directives to parse non-php extension files with php (either as other suffixes, like .asp, as unknown suffixes, like .foo, or as .html).
