Pro PHP Security by Chris Snyder and Michael Southwell

Security in depth

Good security is the basis of any viable website. With the internet being the most public of places, broken systems cost—money, reputations and possibly customer identities are the currency. Pro PHP Security, published by Apress and written by Chris Snyder and Michael Southwell, is a detailed and authoritive account of the security details that effect a successful deployment of a PHP website. The book ranges from the almost theoretical to the highly practical such as SQL injection attack hardening and validating user input. If you are a newbie programmer or a serious practitioner, you may still find highly relevant comfort and detail in the book. There may be monsters waiting in the dark.

The book’s cover

Security is not a thin line. Securing infrastructure with potentially complex relationships absolutely requires defense in depth. Under Linux, which is the traditional deployment operating system of choice for the majority of PHP web applications, you need to understand the file system, the use of temporary files, .htaccess encryption and many of the associated attack vectors such as cross site scripting. Any book that wishes to discuss PHP Security needs to be dense enough and broad enough. Luckily, Pro PHP Security has such attributes. This book was fun to read and, despite the fact that in a previous incarnation I was a security officer as well as developer, I learnt more than a few new details.

Securing infrastructure with potentially complex relationships absolutely requires defense in depth

The contents

Chris Snyder and Michael Southwell have divided their 500 or so page book into four parts and twenty-four accurate and to-the-point chapters. Part 1 is the shortest containing only information on why we need to secure programs in the first place. Part 2 explains how to maintain a secure environment and discusses operating system and transport issues.

The most fun section is part 3 Practicing Secure PHP Programming. Different attack vectors are mentioned, one major theme per chapter. The attacks include SQL injection, Remote Execution and, my favorite, Session hijacking. With so many potential crackers out there with so many freely downloadable kits, if you are a newbie PHP programmer, here is where you may save your site(s), read on.

Part 4 Practicing Secure Operations ends with mentioning peer reviewing of code. From personal experience, I strongly thumbs up the advice given.

Looking back at the whole book, I am glad to see apparently mundane advice included such as setting your database permissions aggressively and backing up your databases. This may seem obvious, but it costs energy to follow and thus on many occasions is avoided. Any newbie reading this review please follow the advice and don’t be lazy or you may pay more later. I have seen this short-term thinking a number of times before.

Who’s this book for?

This book is especially useful for the newbie programmer that is starting out with PHP for the first time or old reactionaries that have not had any hard security training.

Relevance to free software

Linux has a rock solid reputation for stable and secure running. Many Linux deployments are solely for running PHP web applications. PHP has as its rival JSP and ASP. If enough PHP sites are hacked, both PHP and Linux will be tarred with a negative brush and JSP or worst still ASP will profit. Therefore, it is vital for core free software projects that programmers understand where the main security surfaces lie.

One of the delightful properties of the PHP programming language is how quickly you can become productive. One could imagine active websites being built from day one and from day one being insecure. Pro PHP Security is broad enough and well rounded enough a book to give the day one builders a thorough jumpstart in the security arena. This fact is also true for the older reactionaries that have learnt to program in the trenches but have had no meaningful security related experience.

It is vital for core free software projects that programmers understand where security surfaces lie

Pros

A great book with a lot of detail. This book is excellent for quickly building up a critical mass of relevant security related concepts and practical defensive strategies.

Cons

Although Pro PHP security mentions general issues, if you are not running PHP I would advise you to look elsewhere for more generic security related books.

X Marks The Spot

Why do developers treasure XML? And why should you?

If you’ve ever had someone do a job for you—be it setting up a Web site, making a Flash presentation, or bigger—even building a whole application for you—you know the dreadful feeling that overcomes you when you have to change the content. Getting in touch with the person, checking if he’s free to do the job, the waiting, the watching, the possible paying, it’s just too much! What if you could just use Notepad—yes, Notepad—to edit your content, and just sit back while it appears on your site automatically? The solution is close at hand. In fact, it’s everywhere.

What Is It?

XML (eXtended Markup Language) is a document format that’s been doing the rounds for many years now. Its purpose is to bring to the Web, and other areas, a way to represent structured data in a way that it can be used easily and quickly, without having to invest in a full-fledged database application. Why are we telling you about it? Because while it is mostly developers who keep fawning over it, there’s a lot you can do with XML too. Its beauty lies in its simplicity—while it’s really easy to learn, it’s still ridiculously powerful. You can use it to organize your personal data, create and edit the content for your site or presentations, and even make your own RSS feeds.

Even better, you can use the same file for all these purposes, without ever being limited to a particular operating system or software—XML works everywhere! A document written in XML is like a database in itself. And just like a database, its data can be brought into any application that supports it, and then manipulated or presented in any way you choose. So you could make just one XML file and use the content for your Web site or to print a brochure or magazine. You could also share this XML file with someone, who could then use the information for his purposes as well.

Yes, Yes, But What Is It?

XML is, to put it a little simplistically, an extension of HTML (Hypertext Markup Language). In fact, its roots are in a format called XHTML— EXtended HTML. All these use the tag approach— content is enclosed within markers, called tags, which are then processed by programs called parsers, which interpret the meaning of these tags. It looks something like this:

“indicates that this is where the title ends. But this is where the similarity between XML and HTML ends: HTML is designed to display information; XML is designed to store it.

While HTML has a defined set of tags, each to denote something specific (like for the page header), XML lets you specify your own tags to represent what you want to put in it. For example, if you wanted to put in a phone number, you’d just use:

And this is where the eXtensible part comes in. You can just keep creating tags to suit your fancy, so there are virtually no limits to what you can do with your XML file. You can even use XML to build a specification for your own language!

Rules Are Fun

Of course, we can’t have people making XML documents any way they please. In order to make it easier to share and use XML files, the W3C (World Wide Web Consortium) decided to lay down some rules to make sure that all XML files share the same general structure—a tree layout, starting at a node and branching out into sub-nodes.

Rule #1: Thy XML should describe itself

The XML declaration is used to define the XML version and its encoding format. It starts the document, and looks like this:

Rule #2: Thy XML shall have only one root.

Your XML can contain as many tags as you want, but just like a tree, it should start with only one tag, called the “root”.

Rule #3: Thou shalt finish what thou started.

Every tag should have both an opening as well as a closing. This denotes the beginning and end of your data. A closing tag uses a forward slash—the “/” sign—to indicate that the field ends.

Rule # 4: Thou shalt pay attention to case.

XML tags are case-sensitive, so is different from . Such details are important.

You can write this in any old text editor, and save the file as “[filename].xml”. You will then be able to open it in any Web browser or program that supports XML.

As you can see, tags can even be repeated within the XML. You will also notice that in the “Artist” tag, we’ve mentioned a name as well. These are called attributes, and are usually used to assign unique IDs or names to your tags. You could also have a tag under the Artist tag to serve the same purpose. There are no real rules when it comes to this, but most who have experience with XML will tell you that you’d rather avoid attributes. The opening tag, closing tag, and the content within are collectively known as an element.

So, Now What?

Well, you’ve made your XML, but what good is it? It still doesn’t do anything, apart from mocking you from where it sits.

What you do with your XML now really depends on your own expertise and how willing you are to get your hands dirty with some development. When it started out, the purpose of XML was to separate Web pages into the interface – the pretty colours and effects we all see - and the data, the information that is presented using those pretty colours. Indeed, this is the simplest thing we can do with XML.

Style Me Up!

The first way to beautify an XML is the Cascading Style Sheet (CSS). It’s usually used for HTML, but since its job is to recognise tags and apply colours or effects to them, it works just as well with XML too. This is what a CSS for our music collection would look like:

Collection

{

background-color: #ffffff;

width: 100%;

}

Track

{

display: block;

margin-bottom: 30pt;

margin-left: 0;

}

... and so on, for each tag. As you can see, the

CSS can be used to assign height, width and even background colours, as well as display styles and margins.

You can write this style sheet in any text editor, and save it as “[filename].css”. To apply this style sheet to the XML, you will need to put this line in the XML file:

This tells your browser to display the XML using the style sheet you just made.

CSS isn’t a standard set by the W3C, and is quite limited in what it can do, so the Wise Men

of XML don’t advise its use. Instead, they point towards XML Stylesheet Language, or XSL. XSL offers a huge number of capabilities—it’s practically a whole new programming language on

its own. You can even specify conditions for formatting, using the classic: “if (condition) then (do this) else (do that)” structure that is common to all programming languages—like if you wanted your favorite artist to be shown in red, leaving the others in blue. Unfortunately though, XSL is a lot more difficult to learn than

CSS, but there are a lot of tools that you could use to generate an XSL style sheet without having to know XSL itself.

The best of these tools is Altova’s StyleVision, which lets you display XML data in HTML, Rich Text Format and even PDF.

Click!

There’s just so much to learn about XML that it’s mind boggling. For lots more information and some extremely useful tutorials on anything XML, head to www.w3cschools.com—a free educational site by the W3C.

When it comes to XML editing, even Notepad is enough, but sometimes you just need a lot more features. By far, the most powerful tool for XML editing and development is Altova’s XMLSpy. It’s shareware, though, and we know how irritating that can be. For the freeware buff, Wattle Software’s XMLWriter is a pretty powerful XML editor, too. Its interface is a little similar to XMLSpy, so it’s easy to switch to after your XMLSpy trial expires.

What’s up, Doc(Book)?

Now that we’ve looked at the basics of XML, it’s time to talk about an application of XML that is increasingly making its way as a standard for documentation—DocBook.

If you were to write a book and use XML to do so, you would follow the rules set by the DocBook standard. It started out as a format for just technical documentation, but its potential isn’t limited to that. As it proliferates, you need not be tied to just one platform or software—there are plenty of tools that support DocBook, including the increasingly popular OpenOffice.org.

When you make XMLs in the DocBook standard, you are creating a book that can be easily rendered into various formats - be it print or the Web. If you are an open source buff, Doc-Book is also a part of the open source movement, and no doubt some blessings will come your way. There’s also the future to consider – if DocBook does come to be as widely used as hoped, a day will come when all the DocBook documents on your PC will be part of one massive, easily-searchable index. You might soon even be able to select a document and decide on the fly whether you want to see it as it would appear on the Web, in print, or in a PowerPointlike presentation - a great deal better than having your stuff strewn about in different formats like it is today.

In both templates, you’d have noticed the “!DOCTYPE” tag. This tells whichever program that is opening the XML that it conforms to the DocBook standard—a Document Type Definition (DTD) file that enforces a structure on the XML.

For everything DocBook related, visit www.docbook.org. There’s even a Wiki you can use to collaborate with other users of the Doc- Book standard.

Really Simple Stuff

Unless you’ve been in a coma these past months, you couldn’t have missed the orange “RSS” button on so many sites. Yes, the most popular way to feed content to users today is based on XML. What’s more, its shockingly easy to make one for your site too! All you have to do is stick to the RSS standard structure, and voila! Your own newsfeed.

Have XML, Will Use

XML is the future of the way data will be shared on the Internet. It’s simple, it’s small, and because it’s truly platform-independent and can be edited in even the most basic of text editors, nothing really stops it from becoming ubiquitous.

Wannabe developer or just your average user, there’s really no excuse for you not knowing at least the basics of XML

The Net Treat

Every One Gets Online From their offices today, but doing so carelessly couls cost your business some serious money

In a recent survey of a small number of people, uncovered an appalling truth: many people access the Net at work for just the things they do at home! What's dangerous is that they could be doing this in your office. Apart from the legal ramifications, your security, too, might be unwittingly compromised by an employee who doesn't understand the consequences of his actions. The onus is therefore on the company to inform employees about how the Net should be used at work and possibly even monitor their actions. Most of your employees are getting online, checking e-mails, chatting, surfing, Googling, and playing online games - unless you've specifically blocked access. With all this Internet activity going on, you have to think about the threats posed by hackers, crackers, phishers, and the other "ers" out there. Every second day there's a new exploit, threat, worm and/or virus detected, which puts your data at risk. Now, the very people you employ could unwittingly turn out to be threats to your company -- if they're oblivious to the dangers that Internet access brings with it.

Human Engineering

This is a term used to refer to the ploys used by attackers to fool people out of money or data. With Internet banking and a host of other online services being offered by banks, phishing is on the rise. From eBay clones to banking site rip-offs, there are thousands of sites that claim to what they're not. Advancements in the Web coding means that a phisher can even hide the address bar of his site, thus making a user believe they're really at a bank site. Most phishing attacks come via e-mail, where a user is asked to click on a disguised link, and then update some information. Now if one of these users happens to be an accountant or someone with access to your company bank account, you could be in serious trouble. It is of utmost importance that you educate your employees about the phishing threat. One fix is to make all your employees see their mail in text format, in which case the problem of disguised links is eliminated. If Out-Look is the e-mail client you use, go to Tool>Options, and under the e-mail header, click on the "E-mail Options" button. Here, check the "read all standard mail in plain test", and the check the "Read all digitally signed mail in plain text" box. Even if text in an e-mail asks to copy and paste link into browser, your employees are probably smart enough to make out, from the text of the link, where they'll be going!

The Real Threats

With Internet penetration increasing by the hour, fewer people are falling prey to human engineering. More and more hackers and crackers are therefore focusing their attention on finding ways and means to infect your computer with bugs that will allow them to gain access to your computers and their data.

For a company, data is money; whether it's an accountant's laptop that contains vital company information, or your browser's cache which contains your various passwords, it's all up for grabs! Since there are so many ways that people try and get into PCs, we'll break them up into the following categories to give you a general idea what to look out for.

Adware / SpyWare

There's a fine line between adware and spyware: very often, they go hand in hand, but a lot of software products are adware-supported and do not contain spyware. The perfect example here is the Opera browser - it just displayed ads from Google, and contained no spyware. However, many software (especially desktop theme packs, screensavers and the like), are filled with spyware. Very often, a smaller software company will bundle their software with adware or spyware from a bigger company, because the former has to cover development costs. In fact, sadly, a lot of the "freeware" out there is adware or spyware supported.

What you need to do is make sure all your computers are protected with anti-spyware tools. Two excellent examples here are Spybot Search & Destroy, and AdAware. Make it a policy for your employees to check and clean their PCs frequently using these tools. It's accomplished at the press of a button.

You could also make sure that none of your employees are allowed to install anything without permission from the system administrator. The simplest way to do this in Windows XP is to have your admin password protect the Administrator accounts on all PCs, and make lower-level accounts for employees.

ActiveX

Though a lot of good software uses this Internet Explorer-based browser installer to integrate its content or services with Windows, many more sites try and trick users into installing malicious ActiveX code into their browsers. If ever there was software that did more harm than good, it has to be ActiveX.

Be aware of the fact that many of your employees probably visit "warez" sites. If you're in a position to do so, enforce a policy that dictates that no employee should visit such sites - your admin's logs should tell you who was where on the Net. We say this because virtually any software "crack" downloaded from warez sites contains some sort of malicious code that puts your computers at risk. Then there is of course, the whole legality issue, which we won't get into here.

A more drastic solution to the "warez problem" would be to have your admin create lower-level accounts for your employees and restricting them from downloading anything.

Windows Update

It's funny - most users will spend hours entertaining themselves online, but will promptly stop "Automatic Updates" for Windows as soon as they see the little icon pop up in the taskbar. A lot of people actually permanently disable this update service. We suggest that system admins update computers regularly.

Passwords

A lot of people use public computer terminals such as at cyber cafes. Now, when accessing office mail using Web mail, if a user checks the "Remember my username and password" box in the site or browser preferences, they're leaving their inboxes open to anyone who uses the computer after them. This can result in secrets being leaked, especially if the employee is of a high enough rank.

Anti-Virus

Make sure you have an anti-virus application that scans files as well as chat and Internet traffic. A toll that scans all data that goes to and from over the Internet, while also scanning the files being saved on your computers, is a must. A good anti-virus application should detect malware before a site or e-mail message even prompts you to install the malicious software.

Here’s something we can’t stress upon enough: update your virus definitions regularly. This is very easily achieved: enable automatic updates in your antivirus software. This will result in a message popping up once every few days saying “An update is available. Do you want to download and install it?” or something of that sort. Don’t say no to these messages just let the software update itself!

In addition, your company e-mail server should have an antivirus program on the server itself to remove malicious software embedded in e-mails before they reach your employees inboxes.

E-Mail Attachments

Beware the e-mail attachment! This path into a computer can be the death of your data…

If your company uses outlook, ask your system admin to disable the preview pane on all computers, and to make sure your antivirus scanner scans mails as they arrive. Also make file extensions visible on all your computers: in Windows Explorer, go to Tool>Folders Options…>View, and uncheck “Hide extensions for known file types”. This will help prevent users from opening a virus thinking it’s a Word document!

Firewalls, NAT Servers And Proxy Servers

You should have a firewall for both your internet connection as well as any wired or Wi-Fi network connection. A firewall will prevent malicious users from seeing your computer online, and also block a lot of unwanted traffic to and from your system. A NAT (Network Address Translator) server will be the face of your company computers, thus showing the world only one computer. Hackers are less likely to attack what look like a single computer because they prefer to get into large networks.

A proxy server solution such as squid for a Linux server will help you keep your employees in check. You will be able to generate logs to find out who does what and who visits what, and also give you the option to block access via port blocking (effective against P2P) and keyword blocking ( effective for blocking words such as porn, xxx, crack , serial, etc)

A Final Word

Thought digit can advise you on how to battle threats that come in the form of data packets, there’s no way we can help you protect your data from other humans! Make sure important company data is only shared on a need-to-know basis, and not openly accessible by anyone.

If we’ve scared you, we’ve achieved our task, and we hope you will begin looking for more security holes into your company and its data, and also better solutions to manage its security.