Securing your pages with the PHP Security Server Formats
Security stems from a lot of various steps, taken at different levels of an application. The Defense in Depth principle calls for redundant safeguards. For instance, you have to filter input into your application (e.g. data coming from a user form) and to escape output (e.g. when you display this data on an HTML page).
This tutorial decribes how to use the PHP Security Server Formats extension for Dreamweaver to easily and quickly increase the level of security of your PHP pages by escaping or forcing the type of the output onto your pages.
The need to escape output
Consider this simple form and PHP code (note the last line, which displays a recordset field: <?php echo $row_Recordset1['varcharField']; ?>):
<form id="form1" name="form1" method="POST" action="<?php echo $editFormAction; ?>"> <textarea name="textarea" id="textarea" cols="45" rows="5"></textarea> <input type="submit" name="button" id="button" value="Send" /> <input type="hidden" name="MM_insert" value="form1" /> </form> <p>This can be any type:<?php echo $row_Recordset1['varcharField']; ?></p>
We have added to the page an Insert record Dreamweaver server behavior and a recordset that retreives the value stored in the database:
<?php
[...]
$editFormAction = $_SERVER['PHP_SELF'];
if (isset($_SERVER['QUERY_STRING'])) {
$editFormAction .= "?" . htmlentities($_SERVER['QUERY_STRING']);
}
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
$insertSQL = sprintf("INSERT INTO security (varcharField) VALUES (%s)",
GetSQLValueString($_POST['textarea'], "text"));
mysql_select_db($database_rsSSF, $rsSSF);
$Result1 = mysql_query($insertSQL, $rsSSF) or die(mysql_error());
}
mysql_select_db($database_rsSSF, $rsSSF);
$query_Recordset1 = "SELECT * FROM security";
$Recordset1 = mysql_query($query_Recordset1, $rsSSF) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
?>
Now, if the user simply enters this in the textarea field:
<script type="text/javascript">
alert("You've been hacked!");
</script>
The JavaScript code gets executed once the form is sent and the field value is output to the page (fig. 1). Here, we are just throwing an alert box, but this could be used to play a number of tricks on your pages.
Fig. 1 - Our form and the injection of JavaScript code onto the page (Code and Design views, in Live view).
Of course, user input should be filtered by the form logic, but as security comes from a series of steps, escaping data or forcing its type before displaying it onto the page is a supplementary step that will make it harder to hack your pages.
Escaping data
Now, lets apply the HTML Entities With Parameters PHP server behavior (Fig. 2). Select {Recordset1.varcharField} in Design view, and open the Bindings panel wide enough so that the Format column appears. The varcharField in the Recordset1 is now selected and we can click the little arrow in the Format column to reveal various server formats. Once the PHP Security Server Formats extension is installed, you can see a Security category, with several server formats. We click on the HTML Entities With Parameters one.
Fig. 2 - Inserting a PHP security server format in Dreamweaver.
Now, as we can see in Live Code, the HTML characters have been converted into their corresponding entities, which prevents JavaScript code from being executed.
Fig. 3 - Escaping output prevents the execution of JavaScript code.
Server formats added to Dreamweaver by PHP Security Server Formats
The PHP Security Server Formats extension comes with a number of formats intended to make sure that the data you will output onto the page will be of the desired type:
- Integer will make sure the data you output on your page will only be an integer.
<p>This will be an integer: <?php echo strval(intval($row_Recordset1['integerField'])); ?></p>
Fig. 4 shows the code inserted (in Code view), the value of the varcharField in the database (which is the same HTML + JavaScript code as above) and the result in Live View, which is neutralized by the Integer server format and becomes 0. This is not very pretty (for the hacker!) and the insertion of JavaScript code must be prevented up-front in the form server logic anyway, but at least, this data cannot do any harm. Keep in mind that your database could be hacked in another way. This is the illustration of the Defense in Depth principle.
fig. 4 - Neutralizing possible tainted content with PHP Security Server Format.
- Floating point number will make sure the data you output on your page will only be a floating point number.
<p>This will be a floating point number: <?php echo strval(floatval($row_Recordset1['floatField'])); ?></p>
- HTML entities with parameters is an enhanced version of the HTML entities original Dreamweaver server format, adding the possibility to use the optional parameters of the htmlentities() function: flags, charset, double_encode (see also Customizing a security server format below). This will convert all applicable characters to HTML entities.
<p>This will convert all applicable characters to HTML entities: <?php echo htmlentities($row_Recordset1['varcharField'], ENT_QUOTES, 'UTF-8'); ?></p>
- New lines to BR + HTML entities with parameters is the same as above but will also insert HTML line breaks before all newlines in a string.
<p>This will convert all applicable characters to HTML entities and will insert HTML line breaks before all new lines: <?php echo nl2br(htmlentities($row_Recordset1['varcharField'], ENT_QUOTES, 'UTF-8')); ?></p>
- Strip Tags with Allowable Tags will strip HTML and PHP tags from a string; obviously, you can customize this server format to specify tags which should not be stripped (see Customizing a security server format below).
<p>This will strip HTML and PHP tags from a string: <?php echo strip_tags($row_Recordset1['varcharField'], '<span>'); ?></p>
- New lines to BR + Strip Tags with Allowable Tags is the same as above but will also insert HTML line breaks before all new lines in a string.
<p>This will strip HTML and PHP tags from a string and will insert HTML line breaks before all new lines: <?php echo nl2br(strip_tags($row_Recordset1['varcharField'], '<p><br>')); ?></p>
- MD5 Encryption with Salt is a special security server format that follows the recommendation of Chris Shiflett's Essential PHP Security
; not only your string (e.g., a password) is hashed with the MD5 algorithm, but it also uses a salt (i.e., additional data which makes your hashes significantly more difficult to crack) of your choice (see Customizing a security server format below).
For example, you can use this server format when storing a password in a database, then use it again to compare the value of a form with the one stored in the database when identifying a user.
<p>This will hash a string with a salt of your choice: <?php echo md5("mySalt" . md5($row_Recordset1['varcharField'] . "mySalt")); ?></p>
Customizing a security server format
A number of the security server formats above use several parameters that you can modify.
- Open your page in Design view.
- Select the dynamic data you want to customize (of the type {recordset.field}) in the page.
This data item is then highlighted in the Bindings panel (Window > Bindings). If the Format column and the down arrow are not visible, widen the Bindings panel to reveal them (see fig. 2). - In the Bindings panel, click the down arrow in the Format column to expand the menu of available data formats.
- Select Edit Format List in the menu that appears.
- Select the format you want to customize from the list, and click Edit. This will open the specific dialog box for the format you selected (Fig. 5 show the dialog box for HTML entities with parameters).
Fig. 5 - The dialog box to customize the HTML entities with parameters security server format.
- Change any of the parameters, and click OK.
Recommended book
Essential PHP Security is a short book by Chris Shiflett which dates back 2005, but which is still a very good book on PHP security. It defines best practises for PHP security and explains common threats on web applications. It is a short, straightforward and precise read.
