Securing web pages written in PHP

<p>An existing web page with no special focus on safety should be secured against different kinds of attacks. The page is located on a shared web server on which no special privileges are granted. The versions of the software used in the environment are the following:</p><ul><li>PHP 5.2.6</li><li>MySQL Server Version: 5.0.75</li><li>Zend Framework 1.5</li><li>Apache 2.6.28-16</li><li>Suhosin-Patch 0.9.6.2</li></ul><p>PHP-Configuration:</p><ul><li>safe_mode off</li><li>magic_quotes_runtime off</li><li>magic_quotes_gpc off</li></ul><p>Especially the parameters should be checked against malicious contents.</p><p>GET-Parameters:</p><ul><li>site, string</li><li>nodeid, integer</li><li>action, string</li></ul><p>The POST-Parameters are variable and should just allow alphanumerical values and punctuation marks.</p><p>XSS, SQL Injection and directory traversal should be avoided. The Solution should be easy to understand, configurable and flexible. Already finished libraries and tools which are tested will be accepted.</p>
1 answer

Using PHP-IDS to secure php web pages

The use of PHP-IDS is pretty simple. Not much coding has to be done. The tool is nicely tested and easy to configure. Once you have downloaded PHP-IDS from http://php-ids.org/downloads/ you can start securing your user-input. After including PHP-IDS with

  • require_once 'IDS/Init.php';

you can define which arrays should be checked by the tool

  • $request = array( 'REQUEST' => $_REQUEST, 'GET' => $_GET, 'POST' => $_POST, 'COOKIE' => $_COOKIE);

initialise and run PHP-IDS with your config

  • $init = IDS_Init::init('IDS/Config/Config.ini');$ids = new IDS_Monitor($request, $init);$result = $ids->run();

finally you can look at the $result object to determine the content

  • if (!$result->isEmpty()) { echo $result;}

PHP-IDS is not 100% secure but it provides help to make your web page safer. 

Taggings: