Concerns about "default" PHP settings

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Concerns about "default" PHP settings

Postby macros » 10. June 2007 04:56

Hi All,

I've just installed XAMPP 1.6.2 and thought I'd start a discussion on some default PHP settings that are provided in the setup.
    * short_open_tag = On - This usage has been deprecated and can cause issues with XML, etc. Setting to Off breaks the XAMPP interface as someone took a shortcut & uses <?=?> etc a lot.
    * register_long_arrays = On - This has been deprecated in preference for the super globals $_GET, $_POST, etc. It is recommended to disable this as it reduces memory usage.
    * register_argc_argv = On - Not usually used in web-based scripts.
    * magic_quotes_gpc = On - This is a kludge to "filter" data to protect from various remote data injections. A better solution is to manually filter input & escape output.

Those are the main issues I've found with the default settings. Some are minor-ish, some are pretty major, depending on your point of view.

The worst culprit that I can see is the short_open_tags. It's unable to be turned off at the moment as it breaks the XAMPP UI, yet it's been recommended not to use it for quite a while now.

Any other opinions?

Cameron.
macros
 
Posts: 5
Joined: 10. June 2007 04:24

Postby Codesmith » 10. June 2007 08:17

In general just because a setting allows for bad programming practices, doesn't mean you are forced to write bad code.

I think the default settings should be geared to make things easy as possible for the unskilled.

Anyone skilled can be expected to change the setting to whatever they want.

Also why worry about breaking the xampp pages, they are not needed for anything, you can just delete them.

As far as magic quotes, they are useful to the unskilled who may not understand php and mysql security issues.

The skilled can decide for themselves whether they want to use magic quotes or not.
Codesmith
 
Posts: 101
Joined: 31. March 2007 21:11

Postby macros » 10. June 2007 08:39

Codesmith wrote:In general just because a setting allows for bad programming practices, doesn't mean you are forced to write bad code.

I agree, but lack of knowledge can lead to that bad code.

Codesmith wrote:Also why worry about breaking the xampp pages, they are not needed for anything, you can just delete them.

Well, they are useful for checking settings & also useful for the links to the tools

Codesmith wrote:As far as magic quotes, they are useful to the unskilled who may not understand php and mysql security issues.

Well, that's part of the problem. magic_quotes DON'T protect against some of the SQL injection stuff. It's a false sense of security.

I just assumed that rather than making life easy but less secure, it would be better to make it more secure to begin with, even if it does mean that people need to do some reading to understand why stuff isn't working. It's been part of the problem with PHP which is trying to be fixed in PHP6.

*shrug*
macros
 
Posts: 5
Joined: 10. June 2007 04:24

Postby Codesmith » 10. June 2007 22:41

Improved security is an improvement.

You honestly believe someone is going to be going through the php.ini file see something called magic_quotes and think it prevents all possible attacks?

You honestly believe someone is going to think, ah one small security step has been done for me, I was planning on reading that chapters on php security, but now I will skip it?

As far as the xampp pages being useful, I visit them once when installing, thats it.

If you really think that short tags are evil, and that you can't resist using them unless the php.ini forbids them, then use a regular expression to replace all the <?= with <?php echo for all documents, and plain old <? with <?php

--

Seems like your real argument might be that people who don't can't be bothered to learn about security shouldn't be writing php & mysql applications?
Codesmith
 
Posts: 101
Joined: 31. March 2007 21:11

Postby macros » 11. June 2007 07:59

Codesmith wrote:You honestly believe someone is going to be going through the php.ini file see something called magic_quotes and think it prevents all possible attacks?

You honestly believe someone is going to think, ah one small security step has been done for me, I was planning on reading that chapters on php security, but now I will skip it?

Unfortunately, history has shown this very thing. How many exploits have been shown to be related to bad filtering of data, the very thing that magic_quotes is meant to "fix"?

Codesmith wrote:Seems like your real argument might be that people who don't can't be bothered to learn about security shouldn't be writing php & mysql applications?

Not at all, but implementing a more secure environment "out of the box" rather than assuming that people will know about security seems to me a better goal. Applications that require magic_quotes or register_globals (which is off at least) are inherently insecure - basic security is obviously NOT being used.

If someone who DOESN'T know about security (even some basics) creates an application that is popular, hopefully it won't have the legacy that PHPBB has.

The short_tags comment is more in regards to it being deprecated, rather than a security thing.

I didn't intend to annoy anyone, was just a comment based on my experience of developing PHP applications. I would've thought that some of my recommendations would be easy to implement, and have minimal impact.
macros
 
Posts: 5
Joined: 10. June 2007 04:24

Postby Codesmith » 11. June 2007 19:37

Explain how applications which require magic_quotes inherently less secure?
Codesmith
 
Posts: 101
Joined: 31. March 2007 21:11

Postby macros » 11. June 2007 20:51

I'd recommend reading "Essential PHP Security" by Chris Shiflett.

If you want practical examples, simply have a look at the history of PHPBB. There's a reason it's considered the most insecure PHP application.
macros
 
Posts: 5
Joined: 10. June 2007 04:24

Postby Codesmith » 12. June 2007 01:34

Yeah I got that book. Section A.8 magic_quotes_gpc and I find his arguments unconvincing.

It adds complexity to your input filtering logic ....increases the likelihood of a mistake


What complexity? It calls addslashes() for you, if you don't like it you have to call stripslashes().

Therefore, it can hide the use of poor filtering or escaping logic


He is positing a programmer smart enough to write/review a complex input filter that will protect against XXS, SQL injection, Mail Header Injection, .....

but dumb enough to think that since addslashes() wall called automatically all his bases are covered.

---
If someone thinks that addslashes is all you need, then if magic_quotes is turned off they will make one call to addslashes()...

If someone understands the complexity of input filtering, then magic_quotes won't confuse them.
Codesmith
 
Posts: 101
Joined: 31. March 2007 21:11


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 115 guests