Home
Home Page
Processing of tags html in TextField
Web 2.0 for designers
That in exchange
Keshirovanie registrations
Semantic web. A note about logical and illogical imposition
XHTML, speak?
Lessons of ASP-technologies
Often asked questions (FAQ) about ASP
Complex regular expressions
Receptions of network defense on PHP
Receptions of network defense on PHP - 2
Development objective orientirovannosti PHP
Banner business
Use Output Buffering in PHP
Use Output Buffering in PHP
Doloj procedural programming, you allow object-oriented!
How to learn{find out}, whence there came visitors
Links
topic


Receptions of network defense on PHP - 2

Well, we shall continue, as well as promised, on consideration of problems of authorization and tracking of a session. But before we shall consider the given subject, we shall stop for one instant at very important point - protection of the information on structure of files and folders on the server.


This very day as first clause{article} of the given cycle has been printed, I have received the first letter. The reader, asked to remain inkognito, has thanked for clause{article} and has asked to check up in practice as he has protected the creation. All was quite good, while I have not touched about what it was not spoken in clause{article}. It was not spoken first of all that to PHP actually any has no the attitude{relation}. However non-observance of some elementary rules can reduce on a zero all diligence on protection against breaking a site through PHP scripts.


So, what I there have found? Basically, anything especial except that in the some people including "confidential" directories there were no files index.html (or others index. *, interpretive as starting). Besides there were no corresponding adjustments of access rights. What this implies? At a set in an address bar of such address on a directory without index.* a file, to the malefactor it is direct in a browser all contents of a folder with all possible{probable} consequences (it will open already depending on what there to be stored{kept}).


How it to not admit{allow}? There is enough in each folder on the server if there there is no file index. *, to place it  there. In the file can write, that it is necessary for you - from " the Input{Entrance} is forbidden " or an empty file up to perenapravlenija, for example on starting page of a site. The second variant is more preferable besides from a careful sight of the web designer aside than diligent visitors. If who has forgotten partially, I shall remind how to carry out riderekt:

<html>


<head>


<META HTTP-EQUIV = "Refresh" CONTENT = " 0; URL=http: // syte.com ">


</head>


<body> </body>


</html>



Well, certainly still{even} to issue it is possible at own discretion, etc., etc.


Now it is time zanjatsja (to not confuse adjustment of access rights with simple the rights of a file - that that it is possible to do{make} with a file). For their adjustment there is simple and simultaneously powerful means. Adjustment is carried out by accommodation on the server of a file .htaccess. It is possible to create some files .htaccess - on one in different folders of your site. Action of a file is distributed to all vlozhenye folders, except for folders in which there is other file .htaccess. The given file is a service file, vsledstvii that he is inaccessible to visitors of a site even to reading.


We nebudem to consider{examine} all properties of the given file of a configuration as us one interests only - protection of file system of the server (for at whom thirst of knowledge neissekaema, has specially found the quite good description of the given file of adjustments in Russian: http: // www.kokos.ru/? nma=catalog*fla=stat*cat_id=8*page=1*num=16).


For an interdiction or the sanction of access it is necessary to use Deny directives or Allow accordingly. Before the given directives there is Order directive specifying the order of following of Deny directives and Allow. For the best understanding, let's consider an example:

Order Deny, Allow


Deny from all


Allow from syte.com


Allow from 10.25.0.55



Having placed the given directives in a file .htaccess, we shall forbid access to all resources in this and slozhenykh folders to everything, except for computers with addresses syte.com and 10.25.0.55.


Well, and elimination of a problem it is quite enough for understanding. It still more many good about the given adjustments to say not only concerning protection, but also concerning improvement of job of a site. But it already leaves far for frameworks of given clause{article}.


Sessions in PHP


No, students, be not frightened J sessions in PHP much more pleasant procedures, than habitual for you, winter or lentie.


When first versions PHP have been issued, programmers have faced a serious problem, namely with absence of global variables - i.e. all results of job of the script, stored{kept} in variables, after his  execution{performance} were destroyed and nebyli are accessible further (like that as in Paskale and other programming languages, after end of job of function, the variables declared inside this function) are destroyed. Most easy for understanding examples, well, give, consider an example:


Let the file index.php contains:

<? php


$test = " This text is set in a file index.php ";


echo $test;


?>



Also there is a file test.php, a containing following code:

<? php


echo $test;


?>



If to execute the given scripts as a result of job of the first script we shall receive an inscription " This text it is set in a file index.php ". The second script will give out to us emptiness as value of a variable $test was not passed the second script (and nebylo in him it is set).


Then programmers also have started to use Cookies for storage of global variables. However this method has big lacks. Starting{beginning} from bulkiness and finishing{stopping}, probably - all is stored{kept} by the most unpleasant on the party  of the user (to read - a hacker). And eventually, at the user can be simply switched - off Cookies. It is a lot of programmers in those days have ceased to use PHP.


However, occurrence of sessions has changed all. Now the information was stored{kept} on the server, and identification of the user passed on the unique identifier sessi. But obovsem under the order.


As it is far from being but all cases the script needs to use sessions it is necessary to specify their use obviously. For this purpose there is session_start command ();, which call speaks the server that given strainca requires all variables, svjazanykh with the user. Session needs to be opened before any data will be sent to the user so it is desirable to cause her  right at the beginning of a script.


After the beginning of session it is possible to set global variable functions with the help session_register ("var_name"). After that the variable $var_name to become accessible session on all pages. Let's modify the example submitted above:


File index.php:

<? php


session_start ();


$test = " This text is set in a file index.php ";


session_register ("test");


echo $test;


?>


Session is started <br>


Now we shall pass and we shall see result: <br>


<a href = "test.php"> job of session </a>


And a file test.php:


<? php


session_start ();


echo $test;


?>



We open index.php, we click on the link and it is seen that opened test.php has received value of a variable $test. Turn vnimenie that in function session_register ("test") the name of a variable needs to be passed without a sign $. Thus, after the task of a variable $test as global for session, she will be accessible in all further scripts of the given session.


If the variable is more neponadobit`sja, she  can be removed function session_unregister ();


Also it is possible to destroy session: session_destroy ();


Now we have enough knowledge to write mechanism of authorization. We shall execute his  three files: index.php, auth.php and done.php. The file index.php will contain the form for input of a login and the password. The data from this form will be transferred{handed} for check to a file auth.php which in case of successful authorization, will give the user access to a file done.php.


File index.php:

<html>


<body>


<form action = "auth.php" method = "post">


Login <input type = "text" name = "user_name"> <br>


The password <input type = "password" name = "user_pass"> <br>


<input type = "submit" name = "submit" value = "input{entrance}">


</body>


</html>


File auth.php:


<? php


session_start ();


if ($submit)


{


if (($user_name == "login") ** ($user_pass == "password"))


{


$login_user = $ user_name;


session_register ("login_user");


header (" location: done.php ");


exit;


}


}


?>


<html>


<body>


Incorrect login or the password


</body>


</html>



Here, let's understand with a code. So, from the beginning we open session: session_start (); whether further we check the data from the form have been sent: if ($submit) is will help to avoid attack on perebor primitive brutforsov (programs and scripts pereborhhikov passwords). We check the entered login and the password: if (($user_name == "login") ** ($user_pass == "password")) in this case for simplicity at us only one pair the login - password, actually a login and passwords are stored{kept} in files or databases, but I did not begin to result such example to not complicate understanding of essence of authorization and its{her} potentially dangerous places. Later we shall necessarily consider as well as where to store{keep} logins and passwords. So, if the correct login and the password have been entered, we declare a global variable $login_user and we redirect a browser on page done.php: header (" location: done.php ");


And a file done.php

<? php


session_start ();


if (! isset ($login_user))


{


header (" location: index.php ");


exit;


}


?>


<html>


<body>


You zalogineny under a login:


<? php


echo "$login_user";


?>


</body>


</html>



With the given script all is already much more understandable. After opening session, whether we check zaloginen the user: if (! isset ($login_user)) if yes we deduce{remove} the message in which his  login is specified: you zalogineny under a login: <php echo "$login_user";?>, in an opposite case, we redirect it  on page of input of a login and the password: header (" location: index.php ");


Now, knowing a principle of mechanisms of authorization with use of sessions, we shall consider and we correct bottlenecks of the submitted scripts. The identifier of session which gives access to the session and is stored{kept} in a browser on the party  of the user by a bottleneck we shall not consider. The reasons for that weight - starting{beginning} from that that the identifier, operates short time, in particular if the user has left from a site, has closed a browser or for a long time did not show activity, session is destroyed, and, finishing{stopping} that that usually the identifier is a unique 128-bit code, as a rule, more difficultly any password of the user.


And the following moments are potentially dangerous:


- Despite of presence of check of that that, the data are sent from the form, it is possible easy symitirovat` it and to try to touch the password through a script auth.php


- The script done.php can be deceived so: done.php? login_user=login


For elimination of the first vulnerability it was desirable to do all that is described in previous clause{article}, namely - rigid prime by a variable only from file POST, check $HTTP_REFERER, check and urezka a variable. Also, time we need to be protected from numerous attacks, it is possible to write down IP the visitor and, we shall say after 3 unsuccessful attempts to block it  for 15 minutes. However I would advise to not apply blocking IP - she  can be bypassed elementary, and many users of a proxy of servers can suffer because of it{her}. It is much more reasonable to apply a delay of authorization. I.e. directly ahead of check of a correctness of a login and the password we do{make} a delay, we shall say for 1 second. Users of her  most likely at all will not notice, and at hackers speed perebora will fall below 1 combination in a second, that actually completely excludes an opportunity perebora the password even under the special dictionary. To carry out a delay it is possible so:

sleep (1); // a delay for 1 second



As if to the second problem with protection, there it is still easier. Notwithstanding what any interested person can pass a variable $login_user, containing an any login to a script done.php, nevertheless something can be made. Namely to remove a variable (in PHP there is no need to declare variables, therefore and the concept of removal{distance} of a variable can be compared more likely to clearing a variable) with the help of function unset (); then we shall open session in which value of a variable $login_user is stored{kept}, taken with the server, i.e. true value which the hacker cannot affect in any way. To make it it is possible so:

<? php


unset ($login_user);


session_start ();


if (! isset ($login_user))


...



As you can see, if the variable $login_user also has been transferred{handed} by a hacker to a script, we clear her , and further already we open session and if the variable $login_user there contains - i.e. if successful check of a login and the password that has been made give the visitor access to page.


Now you already know much about methods of protection of the site, in particular about closing openings for hackers in PHP scripts. In following, final clause{article}, we shall consider other problems of protection of scripts on PHP, and also as I and promised, ways of safe storage of logins and passwords on the server.