Track 2 Workshop PacNOG 7 July 1, 2010 Creating a Secure LAMP Application ----------------------------------- 1. Securing your PHP code ---------------------- # Secure Code Insecure code would be to not use "urlencode". To read about this function go here: http://www.php.net/manual/en/function.urlencode.php 2. Securing MySQL code in PHP -------------------------- # Partial PHP $query_result = mysql_query ( "select * from users where name = \"" . mysql_escape_string($user_name) . "\"" ); Insecure code would be to not use "mysql_real_escape_string". To read about this function go here: http://php.net/manual/en/function.mysql-real-escape-string.php 3. Creating a random quote generator --------------------------------- This is a fun piece of PHP code. First, let's get the initial database and application up and running. Next we'll extend it and secure it. We will create a database of quotes to get started: $ mysql -uroot -p mysql> create database quotes; At the mysql prompt (mysql>) copy and paste the following: CREATE TABLE `get_quotes` (`rec_quotes_id` int(10) unsigned NOT NULL AUTO_INCREMENT, `rec_quotes` text, PRIMARY KEY (`rec_quotes_id`)); You now have a MySQL database called "quotes" with the table "get_quotes" defined. Now we want to add some quotes to our database. At the MySQL prompt the general form of this is: mysql> insert into get_quotes values ('','your favorite quote goes here'); And you can repeat this as many times as you want. Here's a good site for some quotes in English: http://www.learn-english-today.com/quotes/famous-quotations.html Once you are done type: mysql> quit; Now let's create the initial code to read the quotes from the database. Let's place this in the root of our web server and let's place the PHP code in an html file to help hide it: $ cd /var/www/share/pacnog7 $ sudo vi quotes.html In this file enter in the following PHP code. You will _REALLY_ want to copy and paste this text. Replace "XXXXXX" with the MySQL root user password: >>>> <<<< Once you have this in your file quotes.html then save and exit from the file (":wq" in vi). Now we can see if everything is working. Go to: http://localhost/quotes.html If a quote is displayed it all worked. Try reloading the page. You should see different, random quotes each time your reload. 4. Force the random quote generator to use a secure connection ----------------------------------------------------------- We will now add a code snippet to our previous code so that if a user opens the page: http://localhost/quotes.html their connection will be redirected to: https://localhost/quotes.html Do the following: $ cd /var/www/share/pacnog7 $ sudo vi quotes.html At the top of the file, just after the first line that reads ">> if ($_SERVER["HTTPS"] != 'on') { header("Location: https://" .$_SERVER['SERVER_NAME'].$_SERVER['PHP_SELF']."?referrer=$referrer"); } <<< Save the file and exit. Now try going to: http://localhost/quotes.html What happens? This should have been forcibly redirected to: https://localhost/quotes.html You can do the same thing using configuration tricks in Apache, but this solves the problem when you want to ensure a secure web page even if you don't have access to the Apache web server configuration files. 5. Extend the program to accept new quotes from the web ---------------------------------------------------- To finish up this lab we will use a cleaned up version of the random quote generator program that allows you to enter in a new quote and have the quote placed in the quotes database. To ensure that this is secure we must escape our user input for PHP and for MySQL. Below is our program now presented in a modular format with inputted text properly escaped text and code that is documented. If you wish feel free to replace your current "quotes.html" file with the contents of what is below: >>>> \n"; echo "
\n"; echo "\"".urldecode($row[$column])."\""; echo "
\n"; break; } } // end for loop // switch to straight html ?>

 

Your chance to add in a new quote

Enter it in below:



\n"; echo "You quoted: \"" .urldecode($new_quote). "\"\n"; } } // end function display_quote ?> Quote insertion in to database failed with the following error:
\n"; echo $mysql_text; echo "
\n"; } // // Now call our function to redisplay the page with our new quote. // display_quote($host,$user,$pass,$db,$table,$column,urlencode($quote_to_insert)); } elseif($_POST['Submit'] != 'Submit') { // // First time landing on the page. Display the page with a random quote. We pass all the // variables via a function call to avoid using Global variables in our program. // display_quote($host,$user,$pass,$db,$table,$column,''); } else { // // If we land here we don't know why. It's probably some sort of error in our code. // echo "

Whoops! There\'s been an error. Sorry about that...\n"; } // end main ?> <<<< End of Lab