Hey All,

Like every sysadmin I am concerned about php shell attacks - I have many layers of security in place for mail and web but it occurred to me that there is an incredibly simple way to thwart almost all php injection - but it requires a modification to the PHP library.

The concept? "validation tokens".

A token can be placed in the PHP.INI file, http.conf container or htaccess, can be in one or all of those places and might look like this:

validation_token=AABBCCDDEEFF

Without this token at the head of a PHP script, the script would not run. Again an example might be:

<?
#token:AABBCCDDEEFF

If this were in place you could choose to secure any or all servers, files, directories etc against "foreign" scripts.

Would this be a PITA to switch to - probably
Would it cause some problems along the way - almost certainly
Would it prevent anyone but authorized users from executing PHP scripts and provide an almost infinite layer of protection for all servers / clients / folders / files... I think so.


Please feel free to shoot holes in this idea - if it stands up to a bit of scrutiny I'd love to suggest it as a feature to the PHP team - or maybe someone can come up with a patch or mod.


Steve