PHP Variable Security Risks and Prevention Explained
PHP Cheat Sheet and Prevention Explained - Part 1
Foreword: This is part 1 of my series, PHP Cheat Sheet and Prevention Explained. In this part of the series, I explain PHP variable security risks and how to prevent them.
By: Chrysanthus Date Published: 29 Jan 2019
Introduction
Risks are weaknesses from PHP or from you the programmer, that you may ignore; and attackers (hackers) would take advantage of.
Integer
The maximum size of integer depends on your operating system.
If PHP encounters an integer that is larger than the maximum size, it converts the number to float, and by so doing introduces imprecision. Also, an operation which results in a number beyond the bounds of the integer type will return a float instead, with imprecision of the float.
To avoid this, do not operate beyond the maximum value of integer for your device. To know the maximum integer value for your device, use the PHP_INT_MAX constant as follows:
<?php
$var = PHP_INT_MAX;
echo $var;
?>
There is no integer division operator in PHP. The division of 2 integers result in a float, with imprecision of the float. To work-around this, use the Arbitrary Length Integer / GMP functions (of PHP). I will not address these functions in this volume. So consult some other documentation for that.
Float
The main problem with float is the imprecision. Because of imprecision, the following expression will yield a value towards 7 instead of 8 as expected:
((0.1+0.7)*10)
For high precision, use the arbitrary precision math functions and the GMP functions. I will not address these functions in this volume. So consult some other documentation for that.
Insecurities of Objects
Insecurities from objects are more due to errors you, the programmer commits than from weaknesses of the PHP language.
Insecurities with PHP Array
If you read a value with a key that does not exist, PHP does not stop with a fatal error. The array returns NULL. NULL is a valid value in PHP.
If you have a key as '08' and you use '8' to access the corresponding value, the array will return NULL, as '8' evaluates to an integer while '08' evaluates to a string. So, the key, 8 does not exist. Try the following code (the NULL value may not be printed):
<?php
$arr = array('man' => "woman", '08' => "money");
echo $arr['man'], '<br>';
echo $arr[8], '<br>';
?>
Security Risk with included File
If a variable has been initialized, it means it has been assigned a value. Let us talk about two PHP files and see a problem that can occur due to unknown initialization.
Consider the PHP file,
<?php
$arra = array('pen','book');
?>
This file defines an array with the name, $arra. Name the file, temp1.php. Also consider the following file:
<?php
include_once('temp1.php');
echo $arra[0], '<br>';
$arra = 2;
echo $arra, '<br>';
//echo arra[1], '<br>';
?>
This file begins by including the file, temp1.php, so that all the included code is in the upper part of its own code content. Next it displays the value 'pen' from the array in the upper content (of included file). It goes on to declare and initialize a new variable, integer variable, but unfortunately with the same name as the array in the included file.
This new variable overrides the old variable with the same name; meaning, as you go downward, the value of the variable with the name, $arra is 2 and not an array. Next, the code displays the value, 2. The last line should display the value, 'book', but it is commented out, and it is not executed, now.
Give this second file, the name, temp.php . Save both files in the same directory. Run the file, temp.php. The output is:
pen
2
Now, remove the double forward slash, // , from the last line, making it executable. Run the program again and note that there is a fatal error and the program does not even run. It is not in every situation that you have a fatal error, and the program stops running. In some situations, the program continues to run and be giving wrong results (exploitable by a hacker).
Not knowing that a variable has been initialized is problematic in the case of including one file into another, which uses the same variable name.
To solve this problem, while you are writing the code (temp.php) use the isset() function to check if a variable has been assigned a value. That is, you check if a variable is already in use. If yes, choose a different variable name for your new variable.
The isset() function, returns true, if the variable has been set to anything other than NULL, or it returns false otherwise. The following code shows how the isset() function is used:
<?php
$arra = array('pen','book');
if (isset($arra))
echo 'This variable has a value other than NULL, and you cannot use it.';
else
echo 'You can initilize and use this variable here';
?>
Note, if a variable was initialized (or finally assigned) to NULL, in the included file, then that is the same as not having the variable in the included file. So you can still use the variable in the new file.
What is the point having a variable without ever assigning a value to it? What is the point having a variable whose value is the variable, and can never change?
Solution. Since this attitude can only lead to confusion, and wrong results, avoid using bare variables (bare strings).
Possibility of User Creating a Variable
In normal programming, variables are unique and different variables can have the same value. This is many-to-one relationship. PHP gives the program the possibility of creating a variable dynamically (as the program executes). Read and test the following code:
<?php
$age = 'thirty';
$$age = 'for John';
echo $age, '<br>';
echo $$age, '<br><br>';
$age = 'for John';
echo $age, '<br>';
echo $thirty, '<br>';
?>
The output is:
thirty
for John
for John
for John
Note that two variables, $age and $thirty end up having the same value, "for John". Many-to-one relationship is not really a problem. The problem is that the user can end up creating a variable that references or hold the value of another variable.
References in PHP allows more than one variable to access the same value. In a program, a value can easily become a value of an array and then even become the value of a new variable.
Allowing the user or attacker to create a variable or handle the script such that a variable (new or old) is wrongly assigned to a sensitive information, is a big problem.
Prevention: Do not allow or write code, such that the user would create a variable.
That is it for this part of the series. We stop here and continue in the next part.
Chrys
Related Links
Basics of PHP with Security ConsiderationsWhite Space in PHP
PHP Data Types with Security Considerations
PHP Variables with Security Considerations
PHP Operators with Security Considerations
PHP Control Structures with Security Considerations
PHP String with Security Considerations
PHP Arrays with Security Considerations
PHP Functions with Security Considerations
PHP Return Statement
Exception Handling in PHP
Variable Scope in PHP
Constant in PHP
PHP Classes and Objects
Reference in PHP
PHP Regular Expressions with Security Considerations
Date and Time in PHP with Security Considerations
Files and Directories with Security Considerations in PHP
Writing a PHP Command Line Tool
PHP Core Number Basics and Testing
Validating Input in PHP
PHP Eval Function and Security Risks
PHP Multi-Dimensional Array with Security Consideration
Mathematics Functions for Everybody in PHP
PHP Cheat Sheet and Prevention Explained
More Related Links