PHP Security Guide
Most PHP applications interact with a database. This usually involves connecting to a database server and using access
credentials to authenticate:
<?php
$host = ‘example.org’;
$username = ‘myuser’;
$password = ‘mypass’;
$db = mysql_connect($host, $username, $password);
?>
This could be an example of a file called db.inc that is included whenever a connection to the database is needed. This
approach is convenient, and it keeps the access credentials in a single file.
Potential problems arise when this file is somewhere within document root. This is a common approach, because it makes
include and require statements much simpler, but it can lead to situations that expose your access credentials.
Remember that everything within document root has a URL associated with it. For example, if document root is /usr/
local/apache/htdocs, then a file located at /usr/local/apache/htdocs/inc/db.inc has a URL such as http://
example.org/inc/db.inc.
Combine this with the fact that most web servers will serve .inc files as plaintext, and the risk of exposing your access
credentials should be clear. A bigger problem is that any source code in these modules can be exposed, but access
credentials are particularly sensitive.
Of course, one simple solution is to place all modules outside of document root, and this is a good practice. Both include
and require can accept a filesystem path, so there’s no need to make modules accessible via URL. It is an unnecessary
risk.
If you have no choice in the placement of your modules, and they must be within document root, you can put something like
the following in your httpd.conf file (assuming Apache):
<Files ~ “\.inc$”>
Order allow,deny
Deny from all
</Files>
It is not a good idea to have your modules processed by the PHP engine. This includes renaming your modules with a .php
extension as well as using AddType to have .inc files treated as PHP files. Executing code out of context can be very
dangerous, because it’s unexpected and can lead to unknown results. However, if your modules consist of only variable
assignments (as an example), this particular risk is mitigated.
My favorite method for protecting your database access credentials is described in the PHP Cookbook (O’Reilly) by David
Sklar and Adam Trachtenberg. Create a file, /path/to/secret-stuff, that only root can read (not nobody):
SetEnv DB_USER “myuser”
SetEnv DB_PASS “mypass”
Include this file within httpd.conf as follows:
Include “/path/to/secret-stuff”

Now you can use $_SERVER['DB_USER'] and $_SERVER['DB_PASS'] in your code. Not only do you never have to write
your username and password in any of your scripts, the web server can’t read the secret-stuff file, so no other users can
write scripts to read your access credentials (regardless of language). Just be careful not to expose these variables with
something like phpinfo() or print_r($_SERVER).
SQL Injection
SQL injection attacks are extremely simple to defend against, but many applications are still vulnerable. Consider the
following SQL statement:
<?php
$sql = “INSERT
INTO users (reg_username,
reg_password,
reg_email)
VALUES (‘{$_POST['reg_username']}’,
‘$reg_password’,
‘{$_POST['reg_email']}’)”;
?>
This query is constructed with $_POST, which should immediately look suspicious.
Assume that this query is creating a new account. The user provides a desired username and an email address. The
registration application generates a temporary password and emails it to the user to verify the email address. Imagine that
the user enters the following as a username:
bad_guy’, ‘mypass’, ”), (‘good_guy
This certainly doesn’t look like a valid username, but with no data filtering in place, the application can’t tell. If a valid email
address is given (shiflett@php.net, for example), and 1234 is what the application generates for the password, the SQL
statement becomes the following:
<?php
$sql = “INSERT
INTO users (reg_username,
reg_password,
reg_email)
VALUES (‘bad_guy’, ‘mypass’, ”), (‘good_guy’,
‘1234′,
’shiflett@php.net’)”;
?>
Rather than the intended action of creating a single account (good_guy) with a valid email address, the application has been
tricked into creating two accounts, and the user supplied every detail of the bad_guy account.
While this particular example might not seem so harmful, it should be clear that worse things could happen once an attacker
can make modifications to your SQL statements.
For example, depending on the database you are using, it might be possible to send multiple queries to the database server
in a single call. Thus, a user can potentially terminate the existing query with a semicolon and follow this with a query of the
user’s choosing.
MySQL, until recently, does not allow multiple queries, so this particular risk is mitigated. Newer versions of MySQL allow
multiple queries, but the corresponding PHP extension (ext/mysqli) requires that you use a separate function if you want
to send multiple queries (mysqli_multi_query() instead of mysqli_query()). Only allowing a single query is safer,
because it limits what an attacker can potentially do.
Protecting against SQL injection is easy:

• Filter your data.

This cannot be overstressed. With good data filtering in place, most security concerns are mitigated, and some are
practically eliminated.

• l Quote your data.

If your database allows it (MySQL does), put single quotes around all values in your SQL statements, regardless of
the data type.

• l Escape your data.

Sometimes valid data can unintentionally interfere with the format of the SQL statement itself. Use
mysql_escape_string() or an escaping function native to your particular database. If there isn’t a specific one,
addslashes() is a good last resort.

Session Fixation
Session security is a sophisticated topic, and it’s no surprise that sessions are a frequent target of attack. Most session
attacks involve impersonation, where the attacker attempts to gain access to another user’s session by posing as that user.
The most crucial piece of information for an attacker is the session identifier, because this is required for any impersonation
attack. There are three common methods used to obtain a valid session identifier:

• l Prediction
• l Capture
• l Fixation

Prediction refers to guessing a valid session identifier. With PHP’s native session mechanism, the session identifier is
extremely random, and this is unlikely to be the weakest point in your implementation.
Capturing a valid session identifier is the most common type of session attack, and there are numerous approaches.
Because session identifiers are typically propagated in cookies or as GET variables, the different approaches focus on
attacking these methods of transfer. While there have been a few browser vulnerabilities regarding cookies, these have
mostly been Internet Explorer, and cookies are slightly less exposed than GET variables. Thus, for those users who enable
cookies, you can provide them with a more secure mechanism by using a cookie to propagate the session identifier.
Fixation is the simplest method of obtaining a valid session identifier. While it’s not very difficult to defend against, if your
session mechanism consists of nothing more than session_start(), you are vulnerable.
In order to demonstrate session fixation, I will use the following script, session.php:
<?php
session_start();
if (!isset($_SESSION['visits']))
{
$_SESSION['visits'] = 1;
}
else
{
$_SESSION['visits']++;
}
echo $_SESSION['visits'];
?>

Upon first visiting the page, you should see 1 output to the screen. On each subsequent visit, this should increment to reflect
how many times you have visited the page.
To demonstrate session fixation, first make sure that you do not have an existing session identifier (perhaps delete your
cookies), then visit this page with ?PHPSESSID=1234 appended to the URL. Next, with a completely different browser (or
even a completely different computer), visit the same URL again with ?PHPSESSID=1234 appended. You will notice that you
do not see 1 output on your first visit, but rather it continues the session you previously initiated.
Why can this be problematic? Most session fixation attacks simply use a link or a protocol-level redirect to send a user to a
remote site with a session identifier appended to the URL. The user likely won’t notice, since the site will behave exactly the
same. Because the attacker chose the session identifier, it is already known, and this can be used to launch impersonation
attacks such as session hijacking.
A simplistic attack such as this is quite easy to prevent. If there isn’t an active session associated with a session identifier that
the user is presenting, then regenerate it just to be sure:
<?php
session_start();
if (!isset($_SESSION['initiated']))
{
session_regenerate_id();
$_SESSION['initiated'] = true;
}
?>

The problem with such a simplistic defense is that an attacker can simply initialize a session for a particular session identifier,
and then use that identifier to launch the attack.
To protect against this type of attack, first consider that session hijacking is only really useful after the user has logged in or
otherwise obtained a heightened level of privilege. So, if we modify the approach to regenerate the session identifier
whenever there is any change in privilege level (for example, after verifying a username and password), we will have
practically eliminated the risk of a successful session fixation attack.
Session Hijacking
Arguably the most common session attack, session hijacking refers to all attacks that attempt to gain access to another
user’s session.

As with session fixation, if your session mechanism only consists of session_start(), you are vulnerable, although the
exploit isn’t as simple.
Rather than focusing on how to keep the session identifier from being captured, I am going to focus on how to make such a
capture less problematic. The goal is to complicate impersonation, since every complication increases security. To do this,
we will examine the steps necessary to successfully hijack a session. In each scenario, we will assume that the session
identifier has been compromised.
With the most simplistic session mechanism, a valid session identifier is all that is needed to successfully hijack a session. In
order to improve this, we need to see if there is anything extra in an HTTP request that we can use for extra identification.
Note
It is unwise to rely on anything at the TCP/IP level, such as IP address, because these are lower level
protocols that are not intended to accommodate activities taking place at the HTTP level. A single user can
potentially have a different IP address for each request, and multiple users can potentially have the same IP
address.
Recall a typical HTTP request:
GET / HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0 Gecko
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=1234

Only the Host header is required by HTTP/1.1, so it seems unwise to rely on anything else. However, consistency is really
all we need, because we’re only interested in complicating impersonation without adversely affecting legitimate users.
Imagine that the previous request is followed by a request with a different User-Agent:
GET / HTTP/1.1
Host: example.org
User-Agent: Mozilla Compatible (MSIE)
Accept: text/xml, image/png, image/jpeg, image/gif, */*
Cookie: PHPSESSID=1234
Although the same cookie is presented, should it be assumed that this is the same user? It seems highly unlikely that a
browser would change the User-Agent header between requests, right? Let’s modify the session mechanism to perform an
extra check:

<?php
session_start();
if (isset($_SESSION['HTTP_USER_AGENT']))
{
if ($_SESSION['HTTP_USER_AGENT'] != md5($_SERVER['HTTP_USER_AGENT']))
{
/* Prompt for password */
exit;
}
}
else
{
$_SESSION['HTTP_USER_AGENT'] = md5($_SERVER['HTTP_USER_AGENT']);
}
?>

Now an attacker must not only present a valid session identifier, but also the correct User-Agent header that is associated
with the session. This complicates things slightly, and it is therefore a bit more secure.
Can we improve this? Consider that the most common method used to obtain cookie values is by exploiting a vulnerable
browser such as Internet Explorer. These exploits involve the victim visiting the attacker’s site, so the attacker will be able to
obtain the correct User-Agent header. Something additional is necessary to protect against this situation.
Imagine if we required the user to pass the MD5 of the User-Agent in each request. An attacker could no longer just
recreate the headers that the victim’s requests contain, but it would also be necessary to pass this extra bit of information.
While guessing the construction of this particular token isn’t too difficult, we can complicate such guesswork by simply adding
an extra bit of randomness to the way we construct the token:
<?php
$string = $_SERVER['HTTP_USER_AGENT'];
$string .= ‘SHIFLETT’;
/* Add any other data that is consistent */
$fingerprint = md5($string);
?>
Keeping in mind that we’re passing the session identifier in a cookie, and this already requires that an attack be used to
compromise this cookie (and likely all HTTP headers as well), we should pass this fingerprint as a URL variable. This must
be in all URLs as if it were the session identifier, because both should be required in order for a session to be automatically
continued (in addition to all checks passing).
In order to make sure that legitimate users aren’t treated like criminals, simply prompt for a password if a check fails. If there
is an error in your mechanism that incorrectly suspects a user of an impersonation attack, prompting for a password before
continuing is the least offensive way to handle the situation. In fact, your users may appreciate the extra bit of protection
perceived from such a query.
There are many different methods you can use to complicate impersonation and protect your applications from session
hijacking. Hopefully you will at least do something in addition to session_start() as well as be able to come up with a few
ideas of your own. Just remember to make things difficult for the bad guys and easy for the good guys.
Note
Some experts claim that the User-Agent header is not consistent enough to be used in the way described.
The argument is that an HTTP proxy in a cluster can modify the User-Agent header inconsistently with other
proxies in the same cluster. While I have never observed this myself (and feel comfortable relying on the
consistency of User-Agent), it is something you may want to consider.
The Accept header has been known to change from request to request in Internet Explorer (depending on
whether the user refreshes the browser), so this should not be relied upon for consistency.

Online Free FunGames24: fungames24.keyw0rk.net

1. Hidden text – Create modern CSS based websites with JQuery effects. They often hide large portions of text in layers to display them on click or mouse over for usability reasons. Example: CSS pagination.
2. IP delivery – Offer the proper localized content to those coming from a country specific IP address. Offer the user a choice though. Shopping.com does a great job here.
3. 301 redirects – Redirect outdated pages to the newer versions or your homepage. When moving to a new domain use them of course as well.
4. Throw Away Domains – Create exact match micro sites for short term popular keywords and abandon them when the trend subsides. Something like tigerwoodssexrehab.com
5. Cloaking – Hide the heavy Flash animations from Google, show the text-only version optimized for accessibility and findability.
6. Paid links – Donate for charity, software developers etc. Many of them display links to those who donate.
7. Keyword stuffing – Tags and folksonomy. Keyword stuff but adding several tags or let your users do the dirty work via UGC tagging (folksonomy) every major social site does that.
8. Automatically generated keyword pages – Some shopping search engines create pages from each Google search query and assign the appropriate products to each query. You can do that as well if you have enough content.
9. Mispsellings – Define, correct the misspelled term and/or redirect to the correct version.
10. Scraping – Create mirrors for popular sites. Offer them to the respective webmasters. Most will be glad to pay less.
11. Ad only pages – Create all page ads (interstitials) and show them before users see content like many old media do.
12. Blog spam – Don’t spam yourself! Get spammed! Install a WordPress blog without Akismet spam protection. Then create a few posts about Mesothelioma for example, a very profitable keyword. Then let spammers comment spam it or even add posts (via TDO Mini Forms). Last but not least parse the comments for your keyword and outgoing links. If they contain the keyword publish them and remove the outgoing links of course. Bot user generated content so to say.
13. Duplicate content on multiple domains – Offer your content under a creative Commons License with attribution.
14. Domain grabbing – Buy old authority domains that failed and revive them instead of putting them on sale.
15. Fake news – Create real news on official looking sites for real events. You can even do it in print. Works great for all kinds of activism related topics.
16. Link farm – Create a legit blog network of flagship blogs. A full time pro blogger can manage 3 to 5 high quality blogs by her or himself.
17. New exploits – Find them and report them, blog about them. You break story and thus you get all the attention and links. Dave Naylor is excellent at it.
18. Brand jacking – Write a bad review for a brand that has disappointed you or destroys the planet or set up a brand x sucks page and let consumers voice their concerns.
19. Rogue bots – Spider websites and make their webmasters aware of broken links and other issues. Some people may be thankful enough to link to you.
20. Hidden affiliate links – In fact hiding affiliate links is good for usability and can be even more ethical than showing them. example.com/ref?id=87233683 is far worse than than just example.com. Also unsuspecting Web users will copy your ad to forums etc. which might break their TOS. The only thing you have to do is disclose the affiliate as such. I prefer to use [ad] (on Twitter for example) or [partner-link] elsewhere. This way you can strip the annoying “ref” ids and achieve full disclosure at the same time.
21. Doorway pages – Effectively doorway pages could also be called landing pages. The only difference is that doorway pages are worthless crap while landing pages are streamlined to suffice on their own. Common for both is that they are highly optimized for organic search traffic. So instead of making your doorway pages just a place to get skipped optimize them as landing pages and make the users convert right there.
22. Multiple subdomains – Multiple subdomains for one domain can serve an ethical purpose. Just think blogspot.co or wordpress.com – they create multiple subdomains by UGC. This way they can rank several times for a query. You can offer subdomains to your users as well.
23. Twitter automation – There is nothing wrong with Twitter automation as long as you don’t overdo it. Scheduling and repeating tweets, even automatically tweeting RSS feeds from your or other blogs is perfectly OK as long as the Twitter account has a real person attending it who tweets “manually” as well. Bot accounts can be ethical as well in case they are useful no only for yourself. A bot collecting news about Haiti in the aftermath of the earthquake would be perfectly legit if you ask me.
24. Deceptive headlines – Tabloids use them all the time, black hat SEO also do. There are ethical use cases for deceptive headlines though. Satire is one of course and humor simply as well. For instance I could end this list with 24 items and declare this post to a list of 30 items anyways. That would be a good laugh. I’ve done that in the past but in a more humorous post.
25. Google Bowling – The bad thing about Google bowling is that you hurt sites you don’t like. You could reverse that: Reverse Google bowling would mean that you push sites of competitors you like to make those you dislike disappear below. In a way we do that all the time linking out to the competition, the good guys of SEO who then outrank the ugly sites we like a lot less.
26. Invisible links – You’d never used invisible links on your sites did you? You liar! You have. Most free web counters and statistic tools use them. Statcounter is a good example. So when you embed them on your site you use invisible links.
27. Different content for search engines than users – Do you use Wordpress? Then you have the nofollow attribute added to your comment links. this way the search engine gets different content than the user. He sees and clicks a link. A search bot sees a no trespass sign instead. In white hat SEO it’s often called PageRank sculpting. Most social media add ons do that by default.
28. Hacking sites – While crackers hack sites security experts warn site owners that they vulnerabilities. Both discover the same issues. Recently I got an email by someone who warned me to update my WordPress installation. That was a grand idea I thought.
29. Slander linkbait – Pulling a Calacanis like “SEO is bullshit” is quite common these days. Why don’t do it the other way around? The anti SEO thing doesn’t work that good anymore unless you are as famous as Robert Scoble. In contrast a post dealing with “100 Reasons to Love SEO Experts” might strike a chord by now.
30. Map spam – Instead of faking multiple addresses all over the place just to appear on Google Maps and Local why don’t you simply create an affiliate network of real life small business owners with shops and offices who, for a small amount of money, are your representatives there? All they need to do is to collect your mail from Google and potential clients.

Go to: sourceviewer.keyw0rk.net

Go to: metatagextractor.keyw0rk.net

Go to: encrypter.keyw0rk.net

Go to: alexaranking.keyw0rk.net

Go to: browserdetails.keyw0rk.net

Go to:proxylister.keyw0rk.net

Why Use A Proxy? Whenever you surf the internet your ip address is being logged by every website you visit. A simple check of web logs will show the ip address of everyone that visited a particular website. These logs can be kept for years, and can send a trace back to you! It’s not a matter of just covering your tracks as most of us have nothing to hide, it’s a matter of *privacy*. Your right to privacy is being compromised when browsing without a proxy.

Web-based Proxies

A web-based proxy is a service that allows you to bypass your own internet provider and browse using the proxy web-based website. All that you have to do is type the website address you would like to visit in the form they provide, and start browsing. Once you keep browsing using that form, you are protected and your *real* ip address is not being logged. There are many web based proxies to choose from. Start browsing using the featured selection.