Two security questions

apps

#1

I have two questions about running scripts as securily as possible here.

First: Is it possible to use “magic quotes” at Dreamhost and, in a nutshell, can someone explain the benefits, how that improves security? (or diminishes it)?

Second: Which is generally more secure? running scripts as php-cgi or php? I’ve read the info in the kbase, and it seems that php-cgi is more secure but doesn’t it also open up other vunerabilities?


#2

From the looks of it, magic quotes appears to be enabled.

Upload a PHP script to your site and call the function “get_magic_quotes_gpc()” to check if it is enabled.

For example: Test.php
<?php
if (get_magic_quotes_gpc()) {
echo “Magic quotes are enabled.”;
}else{
echo “Magic quotes are not enabled.”;
}
?>

Also, magic quotes help prevent “SQL Injection”. SQL injection is a manner in which a malicious user can put, for example, single quotes into a text box whose value may be directly passed to a SQL query in your script. Like, if you had a script that checked for the existence of a user name in your database with the SQL query “SELECT user FROM users WHERE user=’” . $_POST[‘username’] . “’”, which would normally return the username if it were found and if it weren’t found it wouldn’t return anything. The problem is a single quote (’) would terminate that search query and allow you to “inject” your own search criteria… so I, a malicious user, could type in the username text box:

blah’ OR 0=0 OR user='something

And that would validate to TRUE for all rows, matching every row in the table, allowing the malicious user to see all users in that database table.

To prevent this, you’re supposed to “escape” the quotes using slashes so the database interprets that single quote literally. So instead of seeing:

SELECT user FROM users WHERE user=‘blah’ OR 0=0 OR user=‘something’

The database would see:

SELECT user FROM users WHERE user=‘blah’ OR 0=0 OR user=‘something’

And would look for a username that matches the exact string:
blah’ OR 0=0 OR user='something

This prevents people from passing commands into your database SQL queries and thereby compromising the integrity of your database.

The function you can use to escape quotes in your submitted variables that need to be passed to your database query is “addslashes”.

Check out this link for more info:
http://php.planetmirror.com/manual/en/function.get-magic-quotes-gpc.php


#3

Oh yeah, you should run your scripts as “php-cgi”.

Check out dreamhost’s knowledge base article on that here:
https://panel.dreamhost.com/kbase/index.cgi?area=2933&keyword=php-cgi


#4

Thanks for explaining that concisely. While I understood the gist of it, it’s great to get a simple explanation of how it can be so easy to inject scripts if they are not secure. I’m trying to understand this better so I can keep my site safe and learn how to evaluate (and maybe someday even write) scripts. I ran that little script and, yes, magic quotes are enabled. Thx.


#5

I know that we encourage people to use php-cgi (partially because it makes it a lot easier for us to identify the sources of problems and track resource consumption), and we have slightly less restrictive security settings… but strictly from a security perspective, php-cgi, esp. with $register_globals still enabled (see some other recent posts) is kind of a nightmare…