Securing PHP: Step-by-Step. In my previous article ("Securing Apache: Step-by-Step") I described the method of securing the Apache web server against unauthorized access from the Internet. Thanks to the described method it was possible to achieve a high level of security, but only when static HTML pages were served. But how can one improve security when interaction with the user is necessary and the users' data must be saved into a local database?
This article shows the basic steps in securing PHP, one of the most popular scripting languages used to create dynamic web pages. In order to avoid repeating information covered in the previous article, only the main differences related to the process of securing Apache will be described. Operating system Like in the previous article, the target operating system is FreeBSD 4.7. Functionality Generally, functionality will be very similar to the one described in the previous article. Security assumptions In case of security assumptions, the following have been added: cd .. cd .. Using mpm-itk To Secure A Shared Serve. The challenge with securing a shared hosting server is how to secure the website from attack both from the outside and from the inside.
PHP has built-in features to help, but ultimately it s the wrong place to address the problem. Apache has built-in features too, but the performance cost of these features is prohibitive. This has created a gap that a number of third-party solutions have attempted to fill. One solution you may have heard of is mpm-itk, by Steinar H. Gunderson. Mpm-itk: Running Apache As A Specified UserInstalling mpm-itkConfiguring ApacheSome BenchmarksOther ConsiderationsConclusions mpm-itk: Running Apache As A Specified User Like mpm-peruser, mpm-itk is an alternative multi-processing module (MPM) for Apache 2.x. Until I researched mpm-itk for this article, I didn’t realise that it didn’t recycle processes after each request. Installing mpm-itk mpm-itk needs to be compiled into your Apache installation. . $ . After that, compile and install Apache: $ make ; make install. Joshua Eichorn's Blog » Blog Archive » Using Eval in PHP. PHP contains an eval function, and since it lets build PHP code at runtime it allows for some very neat tricks, such as creating mock objects or soap proxy classes at runtime.
Though eval can be useful that doesn’t mean its not exteremly dangerous, in this post im going to talk about when I think eval should be used, and some of its security concerns. Eval’s Inherent Security Risk Eval by its nature is always going to be a security concern. You taking a string from an external source and bringing it into your PHP script, you can think of attacks of this nature to being equivalent to SQL injection though they can generally cause a lot more damage ($GLOBALS generally contains your DB password and PHP has lots of filesystem functions). Now proper escaping and data cleaning should mitigate these risks but its easier to just avoid them whenever possible. Uses of Eval Using Eval to provide Compat Using Eval to generate class/function definitions at runtime Using eval to call variable functions.