Home  |  METU  |  
Frequently Asked Questions  |  IT Resources Use Policy  |  Job Opportunities  |  Site Map  |  Contact Info
 
 
Network Services
E-mail Services
User Support
Web Services
E-services
Licensed Software
Security
Facilities
About CC
 
Announcements and Events
Policies & Rules
Publications & Documents
Forms


Admin Panel
  >> Web Services   >> Creating Web Pages on Central Servers   >> Information for Web Users >>Secure PHP codes
 Printer friendly view
Türkçe versiyonu
Secure PHP codes

Possible problems following the change in hardware configuration of the central web server:

1) General variable use is not allowed in PHP configuration of the new web server. Those who make use of general variables may experience problems.

The most significant change is that, variables, which are transferred from one page to another, can not be used directly by their names. These are included in variable arrays depending on the type of their transfers to the page. Therefore, variables are called from arrays such as, $_SERVER['SERVER_NAME'], $_POST['variable_name'], $_GET['variable_name'].

You can have detailed information about register_globals=off case and the use of variables from PHP web pages.

2) PHP 4.3. and later versions will be run in the new web server. As PHP codes will be using the functions at the minimum level of 4.3., necessary function changes have to be made.

3) In the new web server, the commands to run system commands of PHP will not be working. If you have developed applications running system commands, these codes also have to be evaluated and corrected.

Issues to consider for our web users running PHP codes:

Since PHP is a scripting language, each code is analyzed by the web server and the result is displayed. For security reasons, there are various issues to consider when developing codes with PHP.

1) Secure parameters: The values a variable can take are predefined.

- Those values should be checked.
- If a variable takes a value which is not predefined, the page should not be displayed; in stead, an error page should be sent to the user.

2) Parameter transfers across pages: When FORMs are created using HTML codes in PHP, parameters are transferred from one page to another.

- In order to transfer the parameters from one page to another, POST method should be used in stead of GET method. By this way, variables used in codes will not be displayed in the address field of the browser.
- The values, which transferred parameters can take, should be checked.
- If transferred parameters take different values other than expected ones, page should not be displayed and error pages should be sent to the user.

3) Address field of the browser: Variables, which are used to ease transfers across pages and to define the language variable, reveal the variable names of PHP code used in the page, through the address field of the browser.

- For such controls, PHP variables should not be used. In stead of variables that may be used for transfers across pages or deciding which items should be displayed on page, certain controls should be handled using different functions.
- If it is necessary to use these variables, values they can take should be checked and they have to be limited.

4) General variable use: General variables, which are able to be used in all pages, should not be used.

5) Use of variables in "include" lines: Names of different PHP files which may be run by the help of commands such as "include" and"require", should be given to these functions.

Example:
      include("$variable/index.php");

Using such a code may cause a security problem, in case value of variable is not checked.
Last update: 2009-06-17 16:10:13
 
©METU Computer Center 2009 | Feedback | About Site