Justin Silverton’s latest post lists a new set of common PHP security mistakes committed in web applications. They include 'System Calls', ' File Uploads', and ‘Including Files'. In his previous post, Justin mentioned the top five security mistakes made in PHP. The article is a follow-up, with more common security mistakes.

System Calls

In PHP, there are different ways to execute system calls. The system(), exec(), and passthru() allow you to execute operating-system commands from within your scripts. Each of these functions, if not checked, can allow a malicious user to exploit your system and execute commands that could possible access private files and information, Justin writes.

Protecting Your System From This Attack

According to Justin, the input from the user, no matter the context, should never be trusted. PHP provides two functions, escapeshellarg() and escapeshellcmd(). The escapeshellarg() function is designed to remove or otherwise eliminate any potentially harmful characters received from user input for use as arguments to system commands. The syntax for this function is as escapeshellarg() where '' command is the input to clean, and the return value is the cleaned string. When executed, this function will add single quotes around the string and escape (add a slash in front of) any single quotes that exist in the string. escapeshellcmd() is similar to this function, except it will only escape characters that have a special meaning to the underlying operating system. If user input will be used as part of the argument list for a system call, the escapeshellarg() function is always the better choice.

File Uploads

PHP will create a file with the uploaded content, but will not check whether the filename is valid, or if the type and size are correct A user could potentially create his own form specifying the name of some other file that contains sensitive information and submit it, resulting in the processing of that other file. In order to revert the problem you can use move_uploaded_file() or is_uploaded_file(). However, there are some other problems with user-uploaded files and check the super global array to make sure that the user has uploaded the correct file type/size, Justin writes.

Including Files

In PHP you can include local or remote files by using include(), include_once(), require() and require_once(). It allows you to have separate files for classes, reused code and so on, increasing the maintainability and readability of your code.

The concept of including remote files is dangerous in itself, though, because the remote site could be compromised or the network connection could be spoofed. In either scenario, you are injecting unknown and possibly hostile code directly into your script. Another issue to think about when including files is if a file that is included is dependent on user input. This poses a potential security issue, which can be fixed by verifying and cleaning incoming variables, Justin explains
Don’t trust any incoming variables ,, or . These can all be set by a malicious user and possibly compromise the security of your system, he concludes.