From ab6785b01ce1006e3a9761988575289f40c9b678 Mon Sep 17 00:00:00 2001 From: Yannick Torres Date: Wed, 7 Apr 2010 21:20:37 +0000 Subject: [PATCH] Add some acronym's tag #Accept some patchs from PhDOE git-svn-id: https://svn.php.net/repository/phpdoc/en/trunk@297645 c90b9560-bf6c-de11-be94-00142212c4b1 --- reference/mssql/functions/mssql-field-length.xml | 2 +- security/apache.xml | 12 ++++++------ security/database.xml | 14 +++++++------- security/filesystem.xml | 12 ++++++------ security/globals.xml | 16 ++++++++-------- security/hiding.xml | 12 ++++++------ security/magicquotes.xml | 10 +++++----- security/variables.xml | 4 ++-- 8 files changed, 41 insertions(+), 41 deletions(-) diff --git a/reference/mssql/functions/mssql-field-length.xml b/reference/mssql/functions/mssql-field-length.xml index 0d1ed1c3cc..fc1b18fb98 100644 --- a/reference/mssql/functions/mssql-field-length.xml +++ b/reference/mssql/functions/mssql-field-length.xml @@ -89,7 +89,7 @@ The field 'age' has a data length of 4 Note to Windows Users - Due to a limitation in the underlying API used by PHP (MS DBLib C API), + Due to a limitation in the underlying API used by PHP (MS DBLib C PHP), the length of VARCHAR fields is limited to 255. If you need to store more data, use a TEXT field instead. diff --git a/security/apache.xml b/security/apache.xml index c1c0c09c43..5c682a179e 100644 --- a/security/apache.xml +++ b/security/apache.xml @@ -4,10 +4,10 @@ Installed as an Apache module - When PHP is used as an Apache module it inherits Apache's user + When PHP is used as an Apache module it inherits Apache's user permissions (typically those of the "nobody" user). This has several impacts on security and authorization. For example, if you are using - PHP to access a database, unless that database has built-in access + PHP to access a database, unless that database has built-in access control, you will have to make the database accessible to the "nobody" user. This means a malicious script could access and modify the database, even without a username and password. It's entirely @@ -15,12 +15,12 @@ administrator's web page, and drop all of your databases. You can protect against this with Apache authorization, or you can design your own access model using LDAP, &htaccess; files, etc. and include - that code as part of your PHP scripts. + that code as part of your PHP scripts. - Often, once security is established to the point where the PHP user + Often, once security is established to the point where the PHP user (in this case, the apache user) has very little risk attached to it, - it is discovered that PHP is now prevented from writing any files + it is discovered that PHP is now prevented from writing any files to user directories. Or perhaps it has been prevented from accessing or changing databases. It has equally been secured from writing good and bad files, or entering good and bad database transactions. @@ -39,7 +39,7 @@ There are some simpler solutions. By using open_basedir you can control and restrict what - directories are allowed to be used for PHP. You can also set up + directories are allowed to be used for PHP. You can also set up apache-only areas, to restrict all web based activity to non-user, or non-system, files. diff --git a/security/database.xml b/security/database.xml index 894c5f534b..79bdd3ec44 100644 --- a/security/database.xml +++ b/security/database.xml @@ -18,9 +18,9 @@ linkend="security.database.sql-injection">tamper with an SQL query. - As you can surmise, PHP cannot protect your database by itself. The + As you can surmise, PHP cannot protect your database by itself. The following sections aim to be an introduction into the very basics of how to - access and manipulate databases within PHP scripts. + access and manipulate databases within PHP scripts. Keep in mind this simple rule: defense in depth. The more places you @@ -78,7 +78,7 @@ @@ -98,7 +98,7 @@ The easiest way to work around this problem is to first create your own - encryption package, and then use it from within your PHP scripts. PHP + encryption package, and then use it from within your PHP scripts. PHP can assist you in this with several extensions, such as Mcrypt and Mhash, covering a wide variety of encryption @@ -180,10 +180,10 @@ $result = pg_query($conn, $query); Normal users click on the 'next', 'prev' links where the $offset - is encoded into the URL. The script expects that the incoming + is encoded into the URL. The script expects that the incoming $offset is a decimal number. However, what if someone tries to break in by appending a urlencode'd form of the - following to the URL + following to the URL - Check if the given input has the expected data type. PHP has + Check if the given input has the expected data type. PHP has a wide range of input validating functions, from the simplest ones found in Variable Functions and in Character Type Functions diff --git a/security/filesystem.xml b/security/filesystem.xml index 7b381f9356..511ada339d 100644 --- a/security/filesystem.xml +++ b/security/filesystem.xml @@ -4,7 +4,7 @@ Filesystem Security - PHP is subject to the security built into most server systems with + PHP is subject to the security built into most server systems with respect to permissions on a file and directory basis. This allows you to control which files in the filesystem may be read. Care should be taken with any files which are world readable to ensure @@ -12,8 +12,8 @@ filesystem. - Since PHP was designed to allow user level access to the filesystem, - it's entirely possible to write a PHP script that will allow you + Since PHP was designed to allow user level access to the filesystem, + it's entirely possible to write a PHP script that will allow you to read system files such as /etc/passwd, modify your ethernet connections, send massive printer jobs out, etc. This has some obvious implications, in that you need to ensure that the files @@ -22,7 +22,7 @@ Consider the following script, where a user indicates that they'd like to delete a file in their home directory. This assumes a - situation where a PHP web interface is regularly used for file + situation where a PHP web interface is regularly used for file management, so the Apache user is allowed to delete files in the user home directories. @@ -73,7 +73,7 @@ echo "The file has been deleted!"; - Only allow limited permissions to the PHP web user binary. + Only allow limited permissions to the PHP web user binary. @@ -147,7 +147,7 @@ if (!ctype_alnum($username) || !preg_match('/^(?:[a-z0-9_-]|\.(?!\.))+$/iD', $us Null bytes related issues - As PHP uses the underlying C functions for filesystem related + As PHP uses the underlying C functions for filesystem related operations, it may handle null bytes in a quite unexpected way. As null bytes denote the end of a string in C, strings containing them won't be considered entirely but rather only until a null byte occurs. diff --git a/security/globals.xml b/security/globals.xml index 65dc41cb38..7c70d3459d 100644 --- a/security/globals.xml +++ b/security/globals.xml @@ -5,21 +5,21 @@ Using Register Globals &warn.deprecated.feature-5-3-0.removed-6-0-0; - Perhaps the most controversial change in PHP is when the default value - for the PHP directive - register_globals went from ON to OFF in PHP + Perhaps the most controversial change in PHP is when the default value + for the PHP directive + register_globals went from ON to OFF in PHP 4.2.0. Reliance on this directive was quite common and many people didn't even know it existed - and assumed it's just how PHP works. This page will explain how one can + and assumed it's just how PHP works. This page will explain how one can write insecure code with this directive but keep in mind that the directive itself isn't insecure but rather it's the misuse of it. When on, register_globals will inject your scripts with all - sorts of variables, like request variables from HTML forms. This - coupled with the fact that PHP doesn't require variable initialization + sorts of variables, like request variables from HTML forms. This + coupled with the fact that PHP doesn't require variable initialization means writing insecure code is that much easier. It was a difficult - decision, but the PHP community decided to disable this directive by + decision, but the PHP community decided to disable this directive by default. When on, people use variables yet really don't know for sure where they come from and can only assume. Internal variables that are defined in the script itself get mixed up with request data sent by @@ -62,7 +62,7 @@ if ($authorized) { When register_globals = on, we could also use $username in our example below but again you must realize that $username could also come from other - means, such as GET (through the URL). + means, such as GET (through the URL). diff --git a/security/hiding.xml b/security/hiding.xml index ea8ab98f8f..581c5bf556 100644 --- a/security/hiding.xml +++ b/security/hiding.xml @@ -8,14 +8,14 @@ But in some cases, every little bit of extra security is desirable. - A few simple techniques can help to hide PHP, possibly slowing + A few simple techniques can help to hide PHP, possibly slowing down an attacker who is attempting to discover weaknesses in your system. By setting expose_php to off in your &php.ini; file, you reduce the amount of information available to them. Another tactic is to configure web servers such as apache to - parse different filetypes through PHP, either with an &htaccess; + parse different filetypes through PHP, either with an &htaccess; directive, or in the apache configuration file itself. You can then use misleading file extensions: @@ -37,10 +37,10 @@ AddType application/x-httpd-php .bop .foo .133t ]]> - Or hide it as HTML code, which has a slight performance hit because - all HTML will be parsed through the PHP engine: + Or hide it as HTML code, which has a slight performance hit because + all HTML will be parsed through the PHP engine: - Using HTML types for PHP extensions + Using <acronym>HTML</acronym> types for PHP extensions - For this to work effectively, you must rename your PHP files with + For this to work effectively, you must rename your PHP files with the above extensions. While it is a form of security through obscurity, it's a minor preventative measure with few drawbacks. diff --git a/security/magicquotes.xml b/security/magicquotes.xml index b69b17ab91..defd261778 100644 --- a/security/magicquotes.xml +++ b/security/magicquotes.xml @@ -5,7 +5,7 @@ &warn.deprecated.feature-5-3-0.removed-6-0-0; Magic Quotes is a process that automagically escapes incoming data to the - PHP script. It's preferred to code with magic quotes off and to instead + PHP script. It's preferred to code with magic quotes off and to instead escape the data at runtime, as needed. @@ -26,8 +26,8 @@ magic_quotes_gpc - Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at - runtime, and defaults to on in PHP. + Affects HTTP Request data (GET, POST, and COOKIE). Cannot be set at + runtime, and defaults to on in PHP. See also get_magic_quotes_gpc. @@ -41,7 +41,7 @@ If enabled, most functions that return data from an external source, including databases and text files, will have quotes escaped with a backslash. Can be set at runtime, and defaults to off - in PHP. + in PHP. See also set_magic_quotes_runtime and @@ -74,7 +74,7 @@ There is no reason to use magic quotes because they are no longer - a supported part of PHP. However, they did exist and did help a + a supported part of PHP. However, they did exist and did help a few beginners blissfully and unknowingly write better (more secure) code. But, when dealing with code that relies upon this behavior it's better to update the code instead of turning magic quotes on. diff --git a/security/variables.xml b/security/variables.xml index 13314da5f0..55c5a08fca 100644 --- a/security/variables.xml +++ b/security/variables.xml @@ -4,7 +4,7 @@ User Submitted Data - The greatest weakness in many PHP programs is not inherent in the + The greatest weakness in many PHP programs is not inherent in the language itself, but merely an issue of code not being written with security in mind. For this reason, you should always take the time to consider the implications of a given piece of code, to ascertain @@ -74,7 +74,7 @@ exec ($evil_var); You may also want to consider turning off register_globals, magic_quotes, or other convenience settings which may confuse you as to the validity, source, or value of a given variable. - Working with PHP in error_reporting(E_ALL) mode can also help warn + Working with PHP in error_reporting(E_ALL) mode can also help warn you about variables being used before they are checked or initialized (so you can prevent unusual data from being operated upon).