Speeding up your PHP database application
A sheet over at talks.php.net shows you how to speed up your PHP database application using a practicable example. An actual real-world setup (Ubuntu, Apache, PHP5, MySQL) is used for this benchmark.
By the use of conventional techniques such as APC, query caching, direct MySQL queries, persistent database connections, the number of possible script hits per second could be raised from 17 to over 1100.
Source: Talks.PHP.Net: OsCon 2006 Sheets (2006-08-01 02:40:40)
Create HTTP 404 errors with PHP
For security reasons, giving your surfers a 404 error can be better than printing the actual PHP error message. This way, you do not give out your script logic.
"Why bother"? Hackers actively search for scripts on web servers which can be exploited. As soon as they find a weak script, they abuse it to gain control of the server. To see if you are affected, scan all Apache logs for suspicious entries like these:
[Sun Apr 16 22:15:08 2006] [error] [client 217.50.241.42] Invalid method in request recipientid=105&sessionid=440
[Sun Apr 16 22:43:32 2006] [error] [client 217.50.241.42] Invalid method in request recipientid=101&sessionid=6014
[Sun Apr 16 23:06:11 2006] [error] [client 217.50.241.42] Invalid method in request recipientid=103&sessionid=4424
[Sun Apr 16 23:06:11 2006] [error] [client 217.50.241.42] Invalid method in request recipientid=103&sessionid=4424
To hide your script activity and not give out any information, you can instruct your PHP scripts to output a 404 error using:
header("HTTP/1.0 404 Not Found");
exit;
This measure will create the illusion of a non-existent script ("File not found") and is likely to prevent hacker from further probing this script.
Sanitize variables to prevent MySQL insertion exploits
When using PHP for web applications, sanitising PHP variables is more important than you might think, even if REGISTER_GLOBALS is OFF!
Basically every script which works with any GET or POST input is affected by this. If not sanitized, this input can easily be abused and manipulated to run so-called MySQL insertion exploits. A successful exploit can be used to download or delete your whole database, grab important passwords from your machine and more.
To prevent insertion exploits, you have to check your FORM input variables for unwanted content. As easy as it sounds, this is all what sanitising variables is about and it will make your PHP scripts more secure in a blink of an eye.
The following example deals with a PHP shopping cart script.
A common line for a shopping cart script would be:
$cart_newitem=$_POST['newitem'];
mysql_query("INSERT INTO `cart` ( ...
The direct MySQL query without verifying your input is very dangerous for the integrity of your site.
The above code can easily be modified to run just about any MySQL query you can imagine on your machine within the rights of your corresponding MySQL user. To sanatize your variables and make sure that your script only inserts valid data and refuses hack attempts, you can use another function.
function sanitize($str){
$forbidden=array("<", // HTML + logical operator
">", // HTML + logical operator
"'", // SQL string operator
"\"", // SQL string operator
"%", // SQL string operator
"*",
"´",
"`",
"=");
for ($i=0; $i<count($forbidden); $i++) {
$repl=$forbidden[$i];
$str=str_replace("$repl","",$str);
}
return ($str);
}
All this does is replace any unwanted characters which could be abused, be it in a simple insertion exploit or something more sophisticated. After replacing all forbidden characters, the clean input is returned.
Now, you may use the sanatising function in your scripts like this:
$cart_newitem=sanitize($_POST['newitem']);
