Tuesday, 13 March 2007

PHP Security Tip to Always Validate User Input

Cal Evans in a post over the Zend Developer Zone has posted a security tip to always validate user input. He initiates that the best way to achieve best security is to combine tactics. He talks about filtering and says that beyond filtering you still need to be vigilant and validate input coming in from a user.

To make this clearer, he gives an example code. He says by calling http://example.com/file.php?file=home.php will cause your script to include the file home.php in your current directory. However, if someone requests http://example.com/file.php?file=badcode.php you will be potentially exposing yourself to executing their code. He says you should not depend solely on file_exists(). He explains only because it’s a local file it does not mean that it's a valid file. This may give the hackers an easy way to execute their code on your server, he says.