I'm learning PHP and at the same time I write the examples that I get from the book to .php pages to test them and eventually publish them. My concern is about a bunch of forms that are there to test the codes; these are very basic forms that have no validation code and I would like to know if someone could do bad things into my files/hosting by injecting codes on them. Actually these forms do not point to any important data, they are only there to write on the webpage itself but without saving any information, but I have this concern since I have no knowledge of these web languages.
3 Answers
Your main concern, if you can use these scripts to "write back" to the page, is Cross-Site Scripting (XSS). You should also be aware that just because you don't link to a file, doesn't mean someone won't find it on your site. There are tools (e.g. dirbuster) that can brute-force file and directory names on web servers to find interesting things like admin scripts.
Bottom line: don't put test data on your production server, or, if you absolutely must, at least put the scripts in a directory protected by a password (e.g. htpasswd for Apache).
EDIT: Adnan points out that you want to execute arbitrary PHP code on your server, submitted by users. That's the definition of a horrible security hole. The way that other sites get around it is via heavily sandboxing the PHP installation and blacklisting risky commands, but even then it's not perfect. My suggestion? Don't try to do this if you don't have a lot of experience in PHP, Linux administration, and security.
- 133,763
- 43
- 302
- 380
-
Well, I had the idea of creating a PHP tutorial and have pages that show both source code and a form to test how it works. How could I have something like that available to the public without being a loophole for malicious users? Is it possible? I'm using just a free account... – Jan 23 '14 at 14:19
-
Filter the input so that XSS isn't possible. Take a look at [this](https://www.owasp.org/index.php/XSS) and [this](http://security.stackexchange.com/questions/1368/can-anybody-explain-xss) for more info. – Polynomial Jan 23 '14 at 14:22
-
@Poly That's not what he wants. He wants to create an HTML form that will submit **PHP code** to the server and have the server execute it. XSS is the least of his worries. – Adi Jan 23 '14 at 14:28
-
-
No, no... I don't want the users to send arbitrary PHP code... not that. It is just an example form where you input strings or numbers and it prints it in the same page, just as a demonstration. But I am aware that they could input source codes as well... – Jan 23 '14 at 15:02
I believe you're asking about a form that will submit data to the server, and the data will be injected in a .php
file (or executed on the fly) and then the output viewed back as a way to preview PHP commands in a PHP learning environment. Looking at your comment, it's clear that this is indeed what you're trying to do.
Do not do that. You're basically providing an open eval
access to your server. You'll have to spend countless hours filtering malicious PHP statements and function calls, and you won't catch all of them; you'll miss something. There are other smart people who have spent a long time to develop such services in a secure fashion.
Create and read all the tutorials you need, but when you want to let others test it, then when you want to test or let other test, use services that are designed for that. Another possibility is to use something like EasyPHP or XAMPP to have your own development environment on your own computer.
- 43,953
- 16
- 137
- 168
-
I'm not making a code simulation environment. It is just a show of source code as plain text and then the result of that code, which in these cases, are forms, so an user coult test how the form works. They are just very simple forms... perhaps adding something like htmlentities() as validation or allowing no more than a very short string to be passed could be enough? – Jan 23 '14 at 14:39
-
@SakhalTurkaystan Take code from user + Pass the code to the server + Execute the code on the server + View the result back to the user = **Bad bad bad bad bad bad** – Adi Jan 23 '14 at 14:47
-
Yes, I understand. If I replaced the PHP script for a client-based script like Javascript doing the same function, would that be still bad? – Jan 23 '14 at 14:54
-
@Sakhal If the code isn't submitted to the server, parsed in the browser using Javascript, and then executed in the browser, and without introducing a feature where the code is inserted using URLs (`#` changes), then you're safe. Whatever the user does will only affect his browser and nothing else. There's a nice project that can help you with that, http://phpjs.org – Adi Jan 23 '14 at 15:01
The answer to your question is "yes". Depending on how and what you are doing in those isolated tests, and this in conjunction to the fact that you are a newbie in this languages it is quite probable that you end up having a backdoor than allow a malicious user to control the http-user of your server and he will be able to write files, list, modify them...
Tests should be done in controlled test environments. I.E. your own pc =)
- 3,470
- 16
- 26
-
Thanks, i know that I should have the PHP interpreter in my own computer, but it is 64 bits and I found no clear support for this environment. Now I wonder... if I have several subdomains in my hosting space, a succesful attack could access the other subdomains or only the one where the security hole lies? – Jan 23 '14 at 14:29
-
@SakhalTurkaystan A successful attack will compromise everything on your server. Also, XAMPP works perfectly on 64bit. – Adi Jan 23 '14 at 14:31