Category: PHP

Denial of Service in PHP

Posted Nov.24, 2009 under PHP

It was about time, that the PHP team finally included a max_file_uploads directive to limit the number of file upload per request (default is of 20). (cf. http://www.php.net/ChangeLog-5.php#5.3.1)

Until PHP 5.3.1, it was possible to send an X number of file upload request thus creating an X amount of temporary file on the targeted system.. which would cause the web server to crash and the system to overload.

PHP-suhosin has already a max upload option “suhosin.upload.max_uploads” (default to 25), therefore systems with the suhosin patch are protected.

Recommendation is to apply the 5.3.1 release with the patch provided by PHP or to disable file_uploads in php.ini if not using file upload. Keep in mind, you do not need a file upload form on your site to not be vulnerable… all it takes is sending a multipart/form-data mime type to the php script as defined in RCF 1867

Tags: ,
Leave a Comment

10 tips to optimize your PHP code

Posted Oct.06, 2008 under LAMP, PHP, Programming, Unix / Linux

1. if you were to use between print or echo… use echo (Echo is known to be faster than print)

2. when doing string searches or action, do not simply/quickly jump on regex, but first have a look at php api’s string functions such as strpbrk, stripos etc..

3. Display smart error messages… A lot of young developers like to display a custom error or show systems errors whenever something break. Although it is good practice to alert the user of any error, keep in mind printing Error cost a lot in resources. Go for general error display then specifics.

4. Close your database connections when you are done processing mysql datas

5. Use variables instead of global variables

6. Always initialize your variables… It seems too common for coders to just declare a variable without initializing it and process it later with increments etc… Remember you are loosing on speed with none initialized variables

7. Whenever you echo a string on the string.. use ‘ ‘ instead of ” “… why? because PHP will look inside the ” ” declaration for any variables “$”… the process is therefore slower

8. Use mem-cached with apache as to cache memory objects. This will highly speed up the runtime execution of your web application

9. Use mod_gzip to compress data delivery

10. Implement data structure as array and not as class

and yes… :-) use less OOP as possible, being a JAVA and .NET programmer, I can guarantee that OOP in PHP is just a big overhead.

till later,

Tags: ,
Leave a Comment