Secure PHP Development: Building 50 Practical Applications Published by Wiley Publishing, Inc. 10475 Crosspoint Boulevard Indianapolis, IN 46256 www.wiley.com Copyright © 2003 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada ISBN: 0-7645-4966-9 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1B/SU/QU/QT/IN No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, E-Mail: permcoordinator@wiley.com. is a trademark of Wiley Publishing, Inc. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONAL WHERE APPROPRIATE. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at (800) 762-2974, outside the U.S. at (317) 572-3993 or fax (317) 572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Cataloging-in-Publication Data Library of Congress Control Number: 2003101844 Trademarks: Wiley, the Wiley Publishing logo, and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. 01549669 FM.qxd 4/4/03 9:23 AM Page iv Credits SENIOR ACQUISITIONS EDITOR Sharon Cox ACQUISITIONS EDITOR Debra Williams Cauley PROJECT EDITOR Sharon Nash DEVELOPMENT EDITORS Rosemarie Graham Maryann Steinhart TECHNICAL EDITORS Richard Lynch Bill Patterson COPY EDITORS Elizabeth Kuball Luann Rouff EDITORIAL MANAGER Mary Beth Wakefield VICE PRESIDENT & EXECUTIVE GROUP PUBLISHER Richard Swadley VICE PRESIDENT AND EXECUTIVE PUBLISHER Bob Ipsen VICE PRESIDENT AND PUBLISHER Joseph B. Wikert EXECUTIVE EDITORIAL DIRECTOR Mary Bednarek PROJECT COORDINATOR Dale White GRAPHICS AND PRODUCTION SPECIALISTS Beth Brooks Kristin McMullan Heather Pope QUALITY CONTROL TECHNICIANS Tyler Connoley David Faust Andy Hollandbeck PROOFREADING AND INDEXING TECHBOOKS Production Services 01549669 FM.qxd 4/4/03 9:23 AM Page v About the Author Mohammed J. Kabir is CEO and founder of EVOKNOW, Inc. His company (www.evoknow.com) develops software using LAMP (Linux, Apache, MySQL, and PHP), Java, and C++. It specializes in custom software development and offers security consulting services to many companies around the globe. When he is not busy managing software projects or writing books, Kabir enjoys riding mountain bikes and watching sci-fi movies. Kabir studied computer engi- neering at California State University, Sacramento, and is also the author of Apache Server 2 Bible, Apache Server Administrator’s Handbook, and Red Hat Server 8. You can contact Kabir via e-mail at kabir@evoknow.com or visit the book’s Web site at http://www.evoknow.com/publications/books/phpbook.php. 01549669 FM.qxd 4/4/03 9:23 AM Page vi Preface Welcome to Secure PHP Development: Building 50 Practical Applications. PHP has come a long way since its first incarnation as a Perl script. Now PHP is a pow- erful Web scripting language with object-oriented programming support. Slowly but steadily it has entered the non-Web scripting arena often reserved for Perl and other shell scripting languages. Arguably, PHP is one of the most popular Web plat- forms. In this book you will learn about how to secure PHP applications, how to develop and use an application framework to develop many useful applications for both Internet and intranet Web sites. Is This Book for You? This is not a PHP language book for use as reference. There are many good PHP language books out there. This book is designed for intermediate- to advanced- level PHP developers who can review the fifty PHP applications developed for this book and deploy them as is or customize them as needed. However, it is entirely possible for someone with very little PHP background to deploy the applications developed for this book. Therefore, even if you are not currently a PHP developer, you can make use of all the applications with very little configuration changes. If you are looking for example applications that have defined features and implementation requirements, and you want to learn how applications are devel- oped by professional developers, this book a great starting point. Here you will find numerous examples of applications that have been designed from the ground up using a central application framework, which was designed from scratch for this book. The book shows developers how PHP applications can be developed by keeping security considerations in focus and by taking advantage of an object-oriented approach to PHP programming whenever possible to develop highly maintainable, extensible applications for Web and intranet use. How This Book Is Organized The book is organized into seven parts. Part I: Designing PHP Applications Part I is all about designing practical PHP applications while understanding and avoiding security risks. In this part, you learn about practical design and imple- mentation considerations, best practices, and security risks and the techniques you can take to avoid them. vii 01549669 FM.qxd 4/4/03 9:23 AM Page vii Part II: Developing Intranet Solutions Part II introduces you to the central application framework upon which almost all the Web and intranet applications designed and developed for this book are based. The central application framework is written as a set of object-oriented PHP classes. Using this framework of classes, you are shown how to develop a set of intranet applications to provide central authentication, user management, simple document publishing, contact management, shared calendar, and online help for your intranet users. Because all of the applications in this part of the book are based on the core classes discussed in the beginning of the book, you will see how that architecture works very well for developing most common applications used in modern intranets. Part III: Developing E-mail Solutions Part III deals with e-mail applications. These chapters describe a suite of e-mail applications such as Tell-a-Friend applications, e-mail-based survey applications, and a MySQL database-driven e-mail campaign system that sends, tracks, and reports e-mail campaigns. Part IV: Using PHP for Sysadmin Tasks Part IV focuses on demonstrating how PHP can become a command-line scripting platform for managing many system administration tasks. In these chapters, you learn to work with many command-line scripts that are designed for small, specific tasks and can be run automatically via Cron or other scheduling facilities. Applications developed in this part include the Apache virtual host configuration generator, the BIND zone generator, a multi-user e-mail reminder tool, a POP3 spam filtering tool, a hard disk partition monitoring tool, a system load monitoring tool, and more. Part V: Internet Applications In Part V, you learn how to develop a generic Web form management application suite and a voting (poll) application for your Web site. Because Web form manage- ment is the most common task PHP performs, you will learn a general-purpose design that shows you how PHP can be used to centralize data collection from Web visitors, a critical purpose of most Web sites. Part VI: Tuning and Securing PHP Applications In this part, you learn ways to fine-tune your PHP applications for speed and secu- rity. You will learn how to benchmark your applications, and cache your applica- tion output and even application opcode. You will also learn to protect your applications using various security measures involving PHP development and the Apache Web server platform. viii Preface 01549669 FM.qxd 4/4/03 9:23 AM Page viii . at http://www.evoknow.com/publications/books/phpbook .php. 01549669 FM.qxd 4/4/03 9:23 AM Page vi Preface Welcome to Secure PHP Development: Building 50 Practical Applications. PHP has come a long way since. a PHP language book for use as reference. There are many good PHP language books out there. This book is designed for intermediate- to advanced- level PHP developers who can review the fifty PHP. and other shell scripting languages. Arguably, PHP is one of the most popular Web plat- forms. In this book you will learn about how to secure PHP applications, how to develop and use an application