| PHP Application & Security
|
| Application security remains one of the biggest concerns among the PHP developers, and significant part of the application problems boil down to inadequate data filtering [2]. Employing the techniques for static and dynamic detection of unfiltered data may allow sites significantly improve their security while running existing applications, by detecting and preventing insecure code execution. It is yet to be found which of these approaches could be integrated into the PHP engine to provide comprehensive solution without significantly impacting performance |
|
| Please fill up the form below and we will submit a proposal for your project. Alternatively, you can send email to contact@optionm.net with the project requirements. |
|
|
|
|
|
 |
| Overview |
|
|
| Everyone is currently talking about Web 2.0; it is the next big thing in the IT industry. But most people have only a vague idea of what Web 2.0 is about - and what it is not. They tend to think of Web 2.0 as a collection of websites and fancy web-based applications. What they don't see is the shift of paradigm that Web 2.0 brings - and the emergence of new technologies under the surface. |
|
| Application Security remains one of the biggest concerns for any web application, and one that is hardest to address. This paper gives a short summary of security approaches that were tried in the past and currently researched on the example of PHP language, which is used by up to 67% of the web developers. The security of the web application bases on the security of the underlying layers, such as OS and application platform layers and the application itself. While the OS layer is beyond control of the PHP project, experience shows that the language is to assist developers in developing more secure code and running it in more secure manner. The majority of the problems in PHP applications is caused by the insecure application code , which may allow injecting untrusted data into the output (XSS), database queries and other sensitive commands, running external code in the trusted context (remote include) or disclosing data that the user is not authorized to access. The challenge for the PHP language as a platform is both to provide tools for the developers to avoid such problems and for the site administrators to detect and prevent insecure code from doing harm. The following techniques were employed or researched in PHP, with varying success. |
|
|
|
| Click here to submit your project requirements to Option Matrix, India. |
| Back to top |
 |
| PHP and Web Development 2.0 |
|
|
|
If you ask 20 people in the IT industry to define what Web 2.0 is, it is most likely that you will receive 20 different answers. This shows one of the main problems when talking about it: Web 2.0 is not a fixed standard or product, and the viewpoint of the individual influences his perception of Web 2.0. For consumers or journalists outside the industry, Web 2.0 is a number of applications, websites and interfaces - Google, Flickr.com or even eBay. From a developer's perspective, it is a collection of APIs, formats and code. |
|
| And a CIO or CTO of a large company might see a new approach for software architecture that helps him to improve his application landscape. But it is hard to write an article about a new trend without giving a proper definition of it, isn't it? Though my definition is definitely subjective, I tried to find some least common denominators. In my opinion, Web 2.0 usually includes one or more of these elements: |
|
| Rich Web Applications are most likely built with AJAX technology. Even though Web 2.0 is not only for public websites or applications, there is a large movement to build internal enterprise applications with web front ends to achieve platform independence and make it easier to deploy, manage and access business applications. |
|
| SOA (service oriented architecture). SOA means that a website or web application (or even a
server-only application) exposes functionality via a service most commonly in our world, a web service. This makes the reusing services and the creation of new applications, the so called mash-ups, very easy.
|
|
| Social Web elements. Almost all popular Web 2.0 applications offer collaborative or social functions that allow users to commit themselves and create new content. The user takes part in content creation, whether actively or passively. |
|
| PHP - Programming in Web 2.0 |
|
| For programming Web 2.0 applications, PHP is certainly the number one language. About 20 million sites use PHP; among them some of the biggest names in the Web 2.0 sphere like Yahoo!, Flickr, Facebook, Friendster, Technorati, Zillow.com or Tagged.com. While there are other languages in the competition for web applications, like ASP, Perl, Python, Ruby to name a few, PHP leads the field here and has a market share of more than 30 percent3. The renowned analyst Forrester Research evaluated 13 leading open source software projects across approximately 40 criteria and found that six of the projects stand out as examples of excellence and are ready for corporate use4. PHP was the only dynamic programming language in this group and stood beside MySQL, Eclipse, Apache HTTP Server, Apache Tomcat, and the JBoss Application Server. As the US magazine eWeek attested, the LAMP-stack (and PHP in particular) delivers excellent performance compared to commercial alternatives such as Microsoft's .Net: "This stack's performance numbers suggest what many who have been using PHP for some time now (including some of the busiest blogs on the Web) know to be true - that a pure LAMP-based PHP system can easily handle enterprise-class traffic and loads."5 But what makes PHP so attractive for Web 2.0? It's the same features that make Web 2.0 itself so attractive: It's easy to learn, easy to use, lightweight while offering full functionality and it can easily be extended. Modules and libraries make PHP work with a large number of APIs and other Web 2.0 technologies. For example, there are a large number of PHP toolkits that support creating AJAX-based Web applications. Another factor for the continuing success of PHP is the professional environment companies like Zend have created for the adoption of PHP: The Zend Core stack for example is specifically designed to create applications for IBM or Oracle databases6, and the open source Zend Framework will make PHP application development even easier. In addition, Zend is offering commercial development and management solutions for enterprise usage. This hybrid pattern of open source, cost free and commercial offerings is typical for Web 2.0 and supports rapid adoption and integration on the one hand and sustainable and manageable business models on the other hand. |
|
|
|
| Click here to submit your project requirements to Option Matrix, India. |
| Back to top |
 |
| PHP Application Performance |
|
|
| Today's Web applications deliver diverse services including static content and rich media. By providing a multi-layered approach Zend Platform lets you easily optimize your application, according to the services you provide. Code acceleration, content caching, download optimization and configurable off-line processing capabilities give you the maximum performance options needed to get the most out of your business-critical applications |
|
| Code Acceleration |
|
| Code Acceleration is the first step toward a total performance solution. By automatically caching and optimizing the compiled PHP code, application responsiveness is increased resulting a better end users experience. Some application see and immediate a 2x-3x increase in performance. The best part is no code changes are required and it is totally configurable. |
|
| Dynamic Content Caching |
| |
|
Dynamic Content Caching is the second layer in an overall performance solution. It increases user responsiveness by caching generated pages thus eliminating the need to regenerate pages. In many web applications, web pages are exactly the same for all users once they are initially generated. By caching the results from the first access of a page, user responsiveness can be increased dramatically by eliminating costly operations such as database access. Also provided is programmatic API supporting partial page caching allowing programmers even fine grained control over cached content. 20x to 150x increase in performance depending on the application Simple UI based setup and configuration requiring no application changes in most cases Supports full and partial page caching.)
|
|
New! Support URL based caching for Zend Framework and other MVC architectures.
|
|
New! Support for caching in memory or on disk.
|
|
New! Caching "Name Spaces" to simplify cache management.
|
|
Integrated with Output Compression and Client Side caching. |
|
| Client Side Caching |
|
| The third level in application performance is client side content caching. This new feature utilizes client side caching mechanisms already built into browsers and web servers. Content such as web pages, PDF files and more are cached on the end-user's machine and only resent from the server when the content has "expired" .Zend Platform's caching and download functions automatically insert the required content expiration HTTP headers to enable this functionality transparently. The result is a faster response time due to the reduced number of server requests and lower network bandwidth requirements. |
|
| Output Compression |
|
| The fourth level in optimizing for performance is Output Compression. This increases user responsiveness by reducing the time needed to send web pages to the browser. By compressing HTML output before it is sent to the browser, the amount of data that is transferred is significantly reduced saving time and bandwidth. This compressed output is transparently decompressed by the browsers and require no code changes to implement.
|
|
Saves up to 90% of the original bandwidth.
|
|
Saves CPU compression overhead by working with Dynamic Content Caching.
|
|
Transparent support for most popular web browsers |
|
| Zend Download Server (ES) |
|
| Zend Download Server is the next level is the comprehensive approach to application Performance. Many web sites download large images, files or other content. The Download Server increases scalability by offloading the process of sending file from the Apache web server freeing it to handle more user requests. Benefits include:
|
| Seamlessly plugs into the existing Apache/PHP configurations. |
| Increases download performance up to 10x for simultaneous file downloads. |
| New! Integrated with Client side caching. |
| New! API to download non-file content. |
| New! Specify custom content headers to control the content download process. |
| |
| Job Queues - Off-line Processing (ES) |
| |
| Job Queues adds one more layer to the performance story. Job Queues improve user responsiveness by offloading long running processes that are not essential for user interaction. By providing a capability to queue processes for execution in the background, responses are sent back to the user without waiting for the time consuming operations to complete.
|
| Schedule jobs for future off-line processing. |
| Schedule repeated operations to occur at low load times. |
| Manage Job and Queues from the Configuration Management UI. |
|
|
|
| Click here to submit your project requirements to Option Matrix, India. |
| Back to top |
 |
| PHP Security considerations |
|
|
| A completely secure system is a virtual impossibility, so an approach often used in the security profession is one of balancing risk and usability. If every variable submitted by a user required two forms of biometric validation (such as a retinal scan and a fingerprint), you would have an extremely high level of accountability. It would also take half an hour to fill out a fairly complex form, which would tend to encourage users to find ways of bypassing the security. |
|
| The best security is often unobtrusive enough to suit the requirements without the user being prevented from accomplishing their work, or over-burdening the code author with excessive complexity. Indeed, some security attacks are merely exploits of this kind of overly built security, which tends to erode over time. |
|
| A phrase worth remembering: A system is only as good as the weakest link in a chain. If all transactions are heavily logged based on time, location, transaction type, etc. but the user is only verified based on a single cookie, the validity of tying the users to the transaction log is severely weakened. |
|
| When testing, keep in mind that you will not be able to test all possibilities for even the simplest of pages. The input you may expect will be completely unrelated to the input given by a disgruntled employee, a cracker with months of time on their hands, or a housecat walking across the keyboard. This is why it's best to look at the code from a logical perspective, to discern where unexpected data can be introduced, and then follow how it is modified, reduced, or amplified. |
|
| The Internet is filled with people trying to make a name for themselves by breaking your code, crashing your site, posting inappropriate content, and otherwise making your day interesting. It doesn't matter if you have a small or large site, you are a target by simply being online, by having a server that can be connected to. Many cracking programs do not discern by size, they simply trawl massive IP blocks looking for victims. Try not to become one. |
|
| Database Security |
|
| Nowadays, databases are cardinal components of any web based application by enabling websites to provide varying dynamic content. Since very sensitive or secret information can be stored in a database, you should strongly consider protecting your databases.To retrieve or to store any information you need to connect to the database, send a legitimate query, fetch the result, and close the connection. Nowadays, the commonly used query language in this interaction is the Structured Query Language (SQL). |
|
| As you can surmise, PHP cannot protect your database by itself. The following sections aim to be an introduction into the very basics of how to access and manipulate databases within PHP scripts. |
|
| Keep in mind this simple rule: defense in depth. The more places you take action to increase the protection of your database, the less probability of an attacker succeeding in exposing or abusing any stored information. Good design of the database schema and the application deals with your greatest fears. |
|
| Designing Databases |
|
| The first step is always to create the database, unless you want to use one from a third party. When a database is created, it is assigned to an owner, who executed the creation statement. Usually, only the owner (or a superuser) can do anything with the objects in that database, and in order to allow other users to use it, privileges must be granted. |
|
| Applications should never connect to the database as its owner or a superuser, because these users can execute any query at will, for example, modifying the schema (e.g. dropping tables) or deleting its entire content. |
|
| You may create different database users for every aspect of your application with very limited rights to database objects. The most required privileges should be granted only, and avoid that the same user can interact with the database in different use cases. This means that if intruders gain access to your database using your applications credentials, they can only effect as many changes as your application can. |
|
| You are encouraged not to implement all the business logic in the web application (i.e. your script), instead do it in the database schema using views, triggers or rules. If the system evolves, new ports will be intended to open to the database, and you have to re-implement the logic in each separate database client. Over and above, triggers can be used to transparently and automatically handle fields, which often provides insight when debugging problems with your application or tracing back transactions. |
|
| Filesystem Security |
|
| PHP is subject to the security built into most server systems with respect to permissions on a file and directory basis. This allows you to control which files in the filesystem may be read. Care should be taken with any files which are world readable to ensure that they are safe for reading by all users who have access to that filesystem. |
|
| Since PHP was designed to allow user level access to the filesystem, it's entirely possible to write a PHP script that will allow you to read system files such as /etc/passwd, modify your ethernet connections, send massive printer jobs out, etc. This has some obvious implications, in that you need to ensure that the files that you read from and write to are the appropriate ones. |
|
|
|
| Click here to submit your project requirements to Option Matrix, India. |
| Back to top |
|
