Author: Ruturaj Maniyar
Viewers: 606
Last month viewers: 9
Categories: PHP Tutorials, PHP Security
Read this article to learn how to implement this design pattern with PHP using the Nginx Web server to prevent security attacks.
In this article you will learn:
What is the Front Controller Design Pattern
How to Implement a Front Controller with PHP and Nginx
How a Malicious Attack Happens
How to Prevent this Type of Attack
Where Can You Learn More About the Front Controller Design Pattern
Introduction
In this article, I will explain to you how to improve a Web application security with Front Controller Design Pattern that implemented on many PHP Frameworks like Yii2, Laravel, Symfony, CakePHP, Zend Framework etc.
What is the Front Controller Design Pattern
A front controller a piece of code that will handle all the requests for a Web application. A front controller may be implemented as an Object (Java) or using a scripting language (PHP, Ruby, Python) that is called on every request of Web session.
For example, a script like "index.php" can be an entry point of of the code that handles every HTTP request. It handles all the requests of applications that use frameworks like in Yii2 "web/index.php" or Laravel "public/index.php".
How to Implement a Front Controller with PHP and Nginx
In most of the applications, we can configure Nginx and PHP with following Nginx configuration lines to invoke PHP:
location ~ \.php$ {
...
}
Using the above configuration, Nginx passes every request with a URL that ends with "*.php" to the PHP interpreter to process PHP request.
How a Malicious Attack Happens
Lets suppose you have a web application to allow users to upload some files. Now if you missed or forgot to use code to implement strict validation rules, a malicious user could potentially upload a file like shell.php (containing some vulnerability character) on the server.
Now malicious user open the file using below URL on server:
http://[host]/files/shell.php
As per above Nginx configuration, "shell.php" runs and a malicious attack can be performed on your Web application.
How to Prevent this Type of Attack
If you are familiar with Yii or Laravel, you might be know application life-cycle start with "index.php" that is entry point of frameworks. This is where a Web application instance is created and processes every request.
So, on each request, that "index.php" is executed by the application, Nginx configuration should be like the following:
location = /index.php {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
fastcgi_pass 127.0.0.1:9000;
try_files $uri =404;
}
location ~ \.php$ {
# prevent exposure of any other .php files!!!
return 404;
}
Here, when any malicious user can try to run any "*.php" file directly, Ngnix returns 404 Not Found HTTP status, thus preventing this kind of malicious attacks.
Where Can You Learn More About the Front Controller Design Pattern
You can learn more about the front controller design pattern in the respective Wikipedia page or read useful tutorials like the one in this page.
If you would like to tell other things about the implementing the front controller design pattern in PHP applications, can you please post a comment by scrolling below and type your comments to share your point of view?
You need to be a registered user or login to post a comment
1,616,107 PHP developers registered to the PHP Classes site.
Be One of Us!
Login Immediately with your account on:
Comments:
No comments were submitted yet.