532Part IIIAdvanced Features and TechniquesPossible AttacksConnecting your server to the Internet is like setting up a storefront on a busy street. You relikely to have quite a few visitors, but if you re not careful, some less than desirable visitorsmay take advantage of you. Site defacementOften more embarrassing than harmful, site defacements are fairly common because thecracker has an opportunity to publicize his or her exploitation. Site defacements are some- times left as calling cards by a cracker who entered a system by more complicated means. It is possible to deface a badly designed Web site using only a Web browser. Take, for instance, the following program: $visitorn ); fclose($fp); } ?>

Visitors to this site:

---

This program implements a very rudimentary guest book. In reading this code, however, youshould feel a bit uneasy. Don t trust the network.This program accepts form data that weexpect to contain the visitor s name (in the variable $visitor) and stores it in a text file fordisplay to subsequent visitors. For the inputs we expect, there is no trouble. Now put on your script-kiddie hat for a moment and imagine what would happen if the inputcontained HTML tags. This simple program would blindly insert those tags into the pages itgenerates, and other visitors browsers would interpret them as usual. One particularly mali- cious tag is the 533Chapter 29SecurityWhen visitors load the guest book, their browsers receive this tag and immediately beginloading the hacked site. With a little ingenuity, the cracker could then take advantage of thevisitors trust of your site to extract personal information such as passwords or credit cardnumbers. The solution to this problem is to sanitize the input data. In this case, we want any charactersthat have special meaning to a browser to be translated into something harmless. Luckily, PHP provides a way to perform just such a translation. The function htmlspecialchars() converts the characters <, >, , and &to their representations as HTML entities (such as<). We change the first part of our program to use this new function as follows: $clean_visitorn ); fclose($fp); } ?> And we have patched a very significant security hole in our site. Accessing source codeEven if your PHP source code isn t a trade secret, you should still protect it from exposure tothe network. If an intruder can read your source code, then he or she need not experiment tofind a weakness. Instead, the intruder can simply analyze the code, looking for common mis- takes and other security holes. In general, the more helpful information you provide to poten- tial intruders, the more likely an intrusion. By hiding such tidbits as source code, directorynames, or usernames from the network, you can reduce the likelihood of an attack. One handy feature of PHP, error reporting to the browser, is great for development becauseit helps pinpoint problems but it can be bad for security, because it can also give directorypaths, filenames, usernames, and potentially database names on error. Minimize the risk byturning off error reporting to the browser in production systems, via the display_errorsdirective in php.ini. You can still use error reporting to the browser on development sys- tems if you wish, although it s safer to use the error_log()function to write error mes- sages to a log. CautionCrackers, script-kiddies, and other fiendsThe term hackeris commonly used to describe individuals more correctly labeled crackers. Within the computer community, crackersare those who, through luck or skill, break into com- puter systems and cause damage. Hackers are those who can hack read and write efficient(and often obscure) code in many languages. To a programmer, being labeled a hacker is anhonor, whereas being labeled a cracker probably means he or she should start reading the HelpWanted section. As if crackerwas not sufficiently derogatory, young crackers who use tools and scripts they findon the Web are called script-kiddies. These budding lawbreakers often have little understandingof what they are actually doing. They are usually the culprits behind low-tech attacks such as sitedefacement. A fairly good indicator of the work of a script-kiddie is the excessive use of mis- spelling and capitalization, as in W3RKOOLD00Dz.

SecuritySecurity is not a joking matter, proclaim signs at airports every- where. The same sign should be posted near your PHP server. Anyone connecting a server to the Internet must take proper securitymeasures or risk loss of data or even money to the keystrokes ofmalicious crackers. The mantra of the security-conscious site designer is: Don t trust thenetwork.If you re worried about the security of your site, chant thismantra as you code your pages. Any information transmitted to yourserver via the network be it a URL, data from an HTML form, ordata on some other network port should be treated as potentiallyhazardous. This chapter suggests several techniques for sanitizingincoming information. You should apply these techniques and spendsome time trying to discover other potential hazards and ways toprevent them. The second rule of thumb for a secure site is: Minimize the damage. What if the program you just wrote, which you are sureis secure, is actually vulnerable? Just to be on the safe side, limit the damage an intruder can cause after he or she has taken advantage of the vulnerability. When visitors come to your site, they trust that it contains validinformation, that it is not harmful to them or to their computers, andthat any information they provide to it is handled properly. Interactingwith a site, whether an e-business, recreational, or informational site, involves certain security risks for a visitor. As a site designer, it is yourresponsibility to protect visitors from these risks. Besides being suretheir information is safe on your server, this means you should takemeasures to safeguard their information while it is in transit fromtheir computers to your server. But all this should not scare you away from putting your e-businessonline. The first section of this chapter describes some possibleattacks against your server and ways to avoid them. We then discusscryptographic techniques for protecting your data. At the end of thischapter, we list some Web sites that contain up-to-the-minute infor- mation on the latest cracker techniques. By watching these sites, youmay learn of possible security vulnerabilities before an attacker doesand, thereby, avoid disaster. 2929CHAPTER …In This ChapterPossible attacksRegister_GlobalsFile uploadsEncryption …

529Chapter 28PEARAt the center of PEAR is its repository, an online database that contains the accumulatedbody of PEAR packages. This repository has an HTML interface as well as an XML_RPC (WebServices) interface, meaning that you can browse it manually or interact with it via a special- ized command-line program: The PEAR Package Manager. The PEAR Package Manager allowsyou to quickly see what s in the PEAR repository, download what you want, and install someor all of what you download. Particularly important PEAR packages are part of the PHPFoundation Classes (PFC). Another element of the PEAR community is a definition of a coding standard, which specifieshow functions should be defined, comments placed, and brackets structured in various partsof PHP programs. It s meant to ease readability and make life easier for documentation writers. PEAR shares its automated package-distribution scheme with PECL, which manages PHPextensions written in the C language. PEAR represents an invaluable resource to PHP programmers of all levels. Make sure thePEAR Package Manager is installed on your PHP server, and make full use of its resources. When you re ready, join the development effort and contribute to the growth of PHP. …

528Part IIIAdvanced Features and TechniquesFormatting functions and function callsMuch of PHP is concerned with defining functions, then making calls to them; and obviouslycode libraries like PEAR will be almost all functions. Properly formatting your functions canmake it more obvious what s going on and can therefore make debugging and maintenanceeasier. The PEAR style rules mandate that functions be defined with both their beginning and endingbraces flush with the left margin, like this: function myFunction() { // Function code goes here. } This makes function definitions (which use braces) stand out from conditional blocks (whichalso use braces). Furthermore, the standards require that code within the function be indented. Everything is indented at least four spaces; some segments may be indented further: function myFunction() { doSomething(); if ($is) { doSomethingMore(); } } If your function takes arguments, be sure to order them so that arguments with default valuesgo at the end of the list, like this: function myFunction($a, $b, $c= Default ) { doSomething(); if ($is) { doSomethingMore(); } } Also note that there should be no spaces between the name of the function and the parenthe- ses containing arguments. Again, this helps visually distinguish functions (which use paren- theses) from expressions (which also use parentheses). It is important that functions return something. The return value will either be a value thatresulted from the function s processing, or a Boolean value (true or false) to indicate successor failure. SummaryIn this chapter, you got an idea of the lengths to which the PHP community has gone to makeit easy for you to have and use the latest packages that extend the capabilities of the language. PEAR exists to facilitate the ongoing development and widespread distribution of handytoolkits.

527Chapter 28PEARif StatementsA simple two-test ifstatement should be formatted like this: if ((condition1) && (condition2)) { doSomething(); } Note that the opening bracket appears on the same line as the conditions (so-called Kernighanand Ritchie, or K&R, braces), and that there are brackets even though there is only one line of code in the conditional block. That way, the fact that it s a block is obvious, and there s noneed to remember to add them when further lines of code are added in the future. Also notethat there should be a space between a conditional statement and the expression being tested. if/else StatementsAn if/elsestatement builds on the basic ifformat: if ((condition1) && (condition2)) { doSomething(); } else { doSomethingElse(); } The elseappears on the same line as the closing bracket that terminates the ifblock. if/elseif StatementsAn if/elseifstatement looks just like an if/elsestatement in terms of formatting: if ((condition1) && (condition2)) { doSomething(); } elseif { doSomethingElse(); } switch StatementsSwitchstatements rely on whitespace and indentation to make code blocks obvious: switch ($flag) { case 1: doWork(); break; case 2: doOtherWork(); break; default: doNothing(); break; }

526Part IIIAdvanced Features and TechniquesIndenting, whitespace, and line lengthCode is much easier to read if you use indentation to indicate the relationship among lines ofcode that are tied together in a common functional block, as well as whitespace to logicallygroup elements. The following code is hard to read, though it will run perfectly fine. switch ($flag) { case 1: doWork(); break; case 2: doOtherWork(); break; default: doNothing(); break; } On the other hand, this code: switch ($flag) { case 1: doWork(); break; case 2: doOtherWork(); break; default: doNothing(); break; } is both functional and more easily understood. Spotting syntax errors is hard enough; don tmake the job harder by clumping your code together sloppily. One of the big religious arguments in programming is the number of spaces to indent eachnew code block some people insist that two saves space, others swear by four, and someoutliers actually employ eight-space indents (the horror!). Over time and in groups, four hascome to be a standard compromise position, adopted by many open source projects including PEAR. If you want your code to be accepted into PEAR, it must use four-spaceindents. Because different editors on different platforms interpret tab characters differently, it s rec- ommended that you use groups of four space characters in all places you would, under othercircumstances, use a tab character. Formatting control structuresControl structures like if, if/else, if/elseif, and switchstatements can be confusingif not properly formatted. PEAR has recommended styles for all of these language constructs.

525Chapter 28PEAR PHP Foundation Classes (PFC) The PEAR Foundation Classes (PFC) are a subset of the PEAR module repository. The mod- ules that are part of the PFC are written to an especially high standard of quality, have beenextensively tested, and are considered very stable and reliable. The PFC are distributed withPHP itself, so you do not have to download or install them separately. As of PHP5, the mem- bers of the PFC are these packages: DB, Net_Socket, Net_SMTP, Mail, XML_Parser, andphpUnit. In writing modules for the PFC, programmers must aim for broad compatibility. They shouldavoid using any resource that s particular to a specific operating system, and try to take inputand give output in the most generic possible form (for example, in plain text rather than asSOAP-formatted messages). Programmers also need to keep in mind possible future develop- ments in PHP itself information that can be gleaned from mailing lists and other communityresources and write their software so it is unlikely to break when new releases appear. PHP Extension Code Library (PECL) The PHP Extension Community Library (PECL) is conceptually very similar to PEAR, and in fact they share the PEAR Package Manager infrastructure (that is, PECL modules can beaccessed and installed via the PEAR Package Manager). The main difference is that PECL is concerned with extensions to PHP itself, in the form of C modules that attach to the PHPengine. As C programs, extensions typically execute faster and more efficiently than the modules contained in the PEAR repository. PECL used to be called the PEAR Extension Code Library and was spun off from PEAR inOctober 2003. The new PECL homepage is http://pecl.php.net. The PEAR Coding StyleNewspapers (as well as publishers of books!) spend a lot of time and effort establishing stylerules that govern how their writers use language. Are people identified by their last names(as in The Washington Post) or by their honorifics and last names (as in The EconomistandThe New York Times)? It s a matter of style. The same sorts of questions arise among programmers, except that the issues at stake areusually matters of formatting rather than syntax. Where do brackets go, and how is code laidout on a page? It s important to have standard (if arbitrary) answers to these questions, because a standard style can be a real aid to error-spotting and maintainability. PEAR defines its style rules online at http://pear.php.net/manual/en/standards.php. This section calls attention to some of the most important ones.

524Part IIIAdvanced Features and TechniquesThe key executable of the PEAR Package Manager is pear. It resides in your PHP home direc- tory, alongside the PHP interpreter itself. Automatic package installationOnce you have PEAR installed and updated, you can install any package you ve downloaded. The generic syntax for doing an automatic installation of a package is this: pear install
In that syntax,
is the name of a PEAR package. All available packages are listed athttp://pear.php.net/packages.php. You can also run: pear remote-listto see what s available. Here s an example of installing the PEAR DB package via the automatic PEAR PackageManager method: C:PHP>pear install DBdownloading DB-1.5.0RC2.tgz … Starting to download DB-1.5.0RC2.tgz (68,128 bytes) ……………..done: 68,128 bytesinstall ok: DB 1.5.0RC2Automatic package removalUninstalling a package is just as easy as adding one. The generic syntax looks like this: pear uninstall
To uninstall the DB package, then, we d do this: C:PHP>pear uninstall DBUninstall ok: DBIf you re not sure what packages are installed locally, run the following command to find out: pear listSemi-automatic package installationIf, for some reason, you downloaded a PEAR package in the form of a .tgzfile, you can lateruse the PEAR Package Manager to install it, even if there s no connection to the Internet avail- able. You just point the pearcommand at the local file, as follows: pear install HTML_BBCodeParser-1.0.tgzUsing PEAR packages in your scriptsOnce you ve installed the PEAR modules you wish to use, you should make sure the locationis included in the include_pathvariable of your php.inifile. This location can be tricky it will probably be /usr/local/lib/phpon Unix servers and whatever you specified duringthe go-pearprocedure on a Windows server. Once you ve done that, you can include theselibraries from any PHP script with a normal include directive:

523Chapter 28PEARUpdating the Package ManagerLater, you may want to go through the go-pearprocedure again to update your system andmake sure it s aware of the latest contents of the PEAR repository. You may want to do thisevery few months if you use PEAR packages very frequently or don t reinstall PHP very often. However, most people will find that getting a new version of the PEAR Package Manager everytime you install a new version of PHP is frequent enough. The basic procedure is to go tohttp://go-pear.organd save the file there there is only one as go-pear.phpin adirectory that s accessible to your PHP compiler. Figure 28-1 shows the go-pearWeb site. Figure 28-1:The go-pear Web siteAfter saving go-pear.php, go to the command line and run this command: php go-pear.phpYou should see output similar to the code above. With that done, you re again ready to makeuse of the PEAR Package Manager. Using the ManagerThe PEAR Package Manager has a command-line interface that is common to all versions ofPHP. The instructions in this section apply equally to all Unix variants (including Linux) andto Microsoft Windows.

522Part IIIAdvanced Features and Techniquesdoes not contain the PEAR PHP directory you just specified: If the specified directory is also not in the include_path usedby your scripts, you will have problems getting any PEARpackages working. Would you like to alter php.ini ? [Y/n] : YThat modifies the php.inifile, so the PEAR packages are accessible by the PHP engine. php.ini include_path updated. Current include path : .;c:php4pearConfigured directory : C:PHPpearCurrently used php.ini (guess) : c:winntphp.iniPress Enter to continue: The pear command is now at your service at C:PHPpear.batBrilliant the installation worked. It warns us, though, that the Windows PATHisn t really setfor maximum convenience: ** The pear command is not in your PATH, so you need to** use C:PHPpear.bat until you have added** C:PHP to your PATH environment variable. Run it without parameters to see the available actions, try pear list to see what packages are installed, or pear help for help. For more information about PEAR, see: http://pear.php.net/faq.phphttp://cvs.php.net/co.php/pearweb/doc/pear_package_manager.txt?p=1http://pear.php.net/manual/ Thanks for using go-pear! We re set at this point, but the installation program calls attention to a Windows Registryhack we can use for greater convenience if we want: * WINDOWS ENVIRONMENT VARIABLES * For convenience, a REG file is available underC:PHPPEAR_ENV.reg . This file creates ENV variables for the current user. Double-click this file to add it to the current user registry. Press any key to continue . . . The PEAR Package Manager is installed and available for use at this point.