PHP Module Security Risks and Prevention Explained
PHP Cheat Sheet and Prevention Explained - Part 10
Foreword: In this part of the series, I explain PHP module security risks and how to prevent them.
By: Chrysanthus Date Published: 29 Jan 2019
Introduction
Risks are weaknesses from PHP or from you the programmer, that you may ignore; and attackers (hackers) would take advantage of.
Security Risk with included File
If a variable has been initialized, it means it has been assigned a value. Let us talk about two PHP files and see a problem that can occur due to unknown initialization.
Consider the PHP file,
<?php
$arra = array('pen','book');
?>
This file defines an array with the name, $arra. Name the file, temp1.php. Also consider the following file:
<?php
include_once('temp1.php');
echo $arra[0], '<br>';
$arra = 2;
echo $arra, '<br>';
//echo arra[1], '<br>';
?>
This file begins by including the file, temp1.php, so that all the included code is in the upper part of its own code content. Next it displays the value 'pen' from the array in the upper content (of included file). It goes on to declare and initialize a new variable, integer variable, but unfortunately with the same name as the array in the included file.
This new variable overrides the old variable with the same name; meaning, as you go downward, the value of the variable with the name, $arra is 2 and not an array. Next, the code displays the value, 2. The last line should display the value, 'book', but it is commented out, and it is not executed, now.
Give this second file, the name, temp.php . Save both files in the same directory. Run the file, temp.php. The output is:
pen
2
Now, remove the double forward slash, // , from the last line, making it executable. Run the program again and note that there is a fatal error and the program does not even run. It is not in every situation that you have a fatal error, and the program stops running. In some situations, the program continues to run and be giving wrong results (exploitable by a hacker).
Not knowing that a variable has been initialized is problematic in the case of including one file into another, which uses the same variable name.
To solve this problem, while you are writing the code (temp.php) use the isset() function to check if a variable has been assigned a value. That is, you check if a variable is already in use. If yes, choose a different variable name for your new variable.
The isset() function, returns true, if the variable has been set to anything other than NULL, or it returns false otherwise. The following code shows how the isset() function is used:
<?php
$arra = array('pen','book');
if (isset($arra))
echo 'This variable has a value other than NULL, and you cannot use it.';
else
echo 'You can initilize and use this variable here';
?>
Note, if a variable was initialized (or finally assigned) to NULL, in the included file, then that is the same as not having the variable in the included file. So you can still use the variable in the new file.
include, require, include_once, require_once
A module is a file having a set of commonly used functions. It may have a few assigned variables. To include a module to the main file, you can use any of the following:
include('path/to/module');
require('path/to/module');
include_once('path/to/module');
require_once('path/to/module');
When a file (module) is included, the code it contains inherits the variable scope of the line on which the include occurs. Any variables available at that line in the calling (main) file will be available within the called file, from that point forward. However, all functions and classes defined in the included file have the global scope.
require has an advantage over include, in that if the module is not found, it would issue a fatal error halting the script; whereas include will only issue a warning message and its script will continue to run.
include and require do not check whether the module has already been included, and so if there is more than one call (statement), the same module will be included more than once. You should include a module only once. Always use include_once or require_once with require_once being the better option, as it would issue a fatal error and halt, if the module was not found.
Programmers usually code one class per module (file). There is no real problem in that. The problem comes from the fact that PHP allows the same class to have more than one name. Read and test the following code:
<?php
class Calculator
{
public $num1;
public $num2;
public function add()
{
$sum = $this->num1 + $this->num2;
return $sum;
}
}
$myObject = new Calculator();
$myObject->num1 = 2;
$myObject->num2 = 3;
$result = $myObject->add();
echo $result;
echo '<br>';
$unCalledFor = 'Calculator';
$myObject = new $unCalledFor();
$myObject->num1 = 2;
$myObject->num2 = 3;
$result = $myObject->add();
echo $result;
?>
The output is:
5
5
The line,
$unCalledFor = 'Calculator';
allows the same class to have the names, Calculator and $unCalledFor.
Many-to-one relationship is not really a problem. The problem is that the user can end up creating a variable that references or hold the value of another variable.
References in PHP allows more than one variable to access the same value. In a program, a value can easily become a value of an array and then even become the value of a new variable.
Allowing the user or attacker to create a variable or handle the script such that a variable (new or old) is wrongly assigned to a sensitive information, is a big problem.
Prevention: Do not allow or write code, such that the user would create a variable.
Name Space
You should not have more than one variable with the same name in a script (program). In a program, the second variable always overrides the first - that is usually not what you want. To solve this problem, place variables with the same name in different namespaces, just as you place files with the same name in different directories. This solution also comes with its own problem.
You can create a namespace in two ways: The namespaces TheProject and HisProject can be created like:
<?php
namespace TheProject;
const CONNECT_OK = 1;
class Connection { /* ... */ }
function connect() { /* ... */ }
namespace HisProject;
const CONNECT_OK = 1;
class Connection { /* ... */ }
function connect() { /* ... */ }
?>
They can also be created like:
namespace TheProject
{
const CONNECT_OK = 1;
class Connection { /* ... */ }
function connect() { /* ... */ }
}
namespace HisProject
{
const CONNECT_OK = 1;
class Connection { /* ... */ }
function connect() { /* ... */ }
}
?>
In the first code, the first namespace ends where the second one begins. If there were no second namespace, the second one will end at the end of the script. To solve this problem, always use the second code with curly brackets.
That is it for this part of the series. We stop here and continue in the next part.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links