1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Why I'm Giving up Coding...

Discussion in 'PHP' started by LimeKID, Dec 5, 2008.

  1. #1
    I don't know where to begin but I'll keep this short and sweet and maybe someone can help.

    I'm a designer/developer have been designing for 10 years (since i was 11). But the more i try to develop in PHP the more i find out my applications are not secure. I tried reading about security risks (XSS attacks etc) but it just seems to boggle my brain. I was currently going through the Zend Framework and seeing if i could start to learn that platform but learning takes time and when you have many projects to work on, time is really limited.

    I'm not saying i haven't progressed as a php developer but is it really worth it? The amount of time it takes plus worries that your code isn't secure have lead me to believe it would be better to give up and concentrate on designing...

    All opinions welcomed i'm not easily offended but go easy on me lol :p
     
    LimeKID, Dec 5, 2008 IP
  2. joebert

    joebert Well-Known Member

    Messages:
    2,150
    Likes Received:
    88
    Best Answers:
    0
    Trophy Points:
    145
    #2
    Woohoo! More pie for me! :D

    You're still young, the older you get, the more likely you are to already have security built-in to your development because you get tired of getting robbed.
    When you're young, you haven't been robbed as much and you tend to focus more on innovation.

    Maybe you need a mentor or partner that can lock things down behind you.
     
    joebert, Dec 6, 2008 IP
  3. LimeKID

    LimeKID Peon

    Messages:
    64
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #3
    Thanx Joebert! I would tend to agree! I have many innovative ideas i'm trying to build but the thought of double checking my code for security leaks scares me to the point of doing nothing. The mentor idea really gave me food for thought. I'm on the search for a mentor as I type. I'm sure one day i'll be able to share with people I'm mentoring how to approach coding when your young and get frustrated easily.
     
    LimeKID, Dec 6, 2008 IP
  4. misbah

    misbah Active Member

    Messages:
    265
    Likes Received:
    10
    Best Answers:
    0
    Trophy Points:
    68
    #4
    or maybe you can consent for design... and you can find partner with good skill on programmer...
    so you can work like a team...
    remember... we are not superman :) . CMIIW
     
    misbah, Dec 6, 2008 IP
  5. CaseyPC

    CaseyPC Active Member

    Messages:
    85
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    98
    #5
    I wrote a couple of security functions years ago when XSS and RFI started popping up. Now I just use these same security functions to "clean" all user submitted data.
     
    CaseyPC, Dec 6, 2008 IP
  6. ignas2526

    ignas2526 Peon

    Messages:
    75
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Well i have some code wt might help you:
    it will scan all _Get for XSS.
    Also here is code to check if its really number:
    It will make your code quite secure.
     
    ignas2526, Dec 6, 2008 IP
  7. MMBooster

    MMBooster Guest

    Messages:
    11
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #7
    do what you enjoy doing, but if you want only money, then go ahead and learn affiliate marketing.
     
    MMBooster, Dec 6, 2008 IP
  8. LimeKID

    LimeKID Peon

    Messages:
    64
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Thanx for the code and advice.

    My problem is how to find good coders. I may need to search the forum to find good php coders in the UK

    I enjoy web design in general i just get really frustrated easily when things dont move as quick as i would like
     
    LimeKID, Dec 6, 2008 IP
  9. keyaa

    keyaa Peon

    Messages:
    137
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Don't be fooled to think a piece of code that wasn't written specifically for your purposes and which you maybe don't even understand will make your web applications more secure.
    There are by far more ways to do XSS than these few lines of junk can detect. Blacklisting will never make your applications secure if you don't know 100% of all possible threats.
    Then there's SQL injection, XSRF, (remote) file inclusion ..
    Use whitelisting where possible and always properly encode every bit of data depending on how you're going to use it.
     
    keyaa, Dec 7, 2008 IP
  10. LimeKID

    LimeKID Peon

    Messages:
    64
    Likes Received:
    0
    Best Answers:
    0
    Trophy Points:
    0
    #10
    How do you go about finding 100% of all possible threats? Arguably you might as well not bother learning to code under such circumstances...? Is it even possible to have 100% secure code?
     
    LimeKID, Dec 7, 2008 IP
  11. mac83

    mac83 Active Member

    Messages:
    237
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    58
    #11
    Biggest of software have security loopholes and are being exploited... So as a programmer, you should be aware of security and should keep updating your knowledge, but should not get demoralized.

    As a programmer I would suggest you to follow the basic rules... Never trust data from client!
    So make sure the data you get from GET, POST, REQUEST, COOKIES are all valid and in the correct format. If you expect a data to be an integer and user submits string, simply discard that data.

    This simple principle will close a lot of security loopholes!
     
    mac83, Dec 7, 2008 IP
  12. Ikki

    Ikki Peon

    Messages:
    474
    Likes Received:
    34
    Best Answers:
    0
    Trophy Points:
    0
    #12
    LimeKid,

    I know how you feel. However, as mac83 said there's no way to make an application 100% secure. It's just impossible. My advice: spend some time reading about security, test your applications (you may want to ask people to try to explot it) and learn where your code is weak so you can improve it.

    "Patience, my friend, is a virtue"
     
    Ikki, Dec 7, 2008 IP
  13. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #13
    ...and that right there sums it up. ANY method for passing data from the user to your program needs to be double, triple and quadruple checked.

    Sometimes the simplest checks defeat the most complex of attacks.

    Expecting the user to pass a number? Typecasting to integer and leaving index 'zero' as a throwaway can quickly defeat the passage of incorrect values. One of the things that make php so versatile is the lack of strict typing - while at the same time it is one of the biggest security flaws and causes variable handling to be slower than other languages. Understanding that despite php variables being 'uncast' you can still typecast them to restrict their values can be used to quickly prevent illegal values from being passed.

    The EVAL function is essential for some modular codebases, but MUST be used with a great deal of caution. NEVER pass a user value directly to EVAL - EVER. If you must do so, typecast numerics and/or check strings against a list and then use the list's value, just to be sure.

    Your PHP only supposed to accept input from a specific php file? A simple comparison of $_SERVER['HTTP_REFERRER'] to where the request SHOULD come from can defeat a great many spambots who try to use their own servers to pass form data. It CAN be spoofed, but it's suprising how often spambots and other attackers don't bother.

    ... and lands sake sanitize when passing data to mySQL. If you aren't using a routine like this:

    function sanitize($str){
    	if (get_magic_quotes_gpc()) $str=stripslashes($str);
    	if (function_exists('mysql_real_escape_string')) {
    		return mysql_real_escape_string($str);
    	} else return addslashes($str);
    }
    Code (markup):
    ... well, to put it as politely as I can, omitting a sanitize of inputs is leaving yourself wide open to have your server bent over like a Catholic priest at a Taxachusetts supermax.

    Of course one of the biggest problem is when you let users upload attachments. File extensions are a dirty check, yet is the only mechanism during uploads readily available to you. Your best bet is once you have the file and are copying it, to change the permissions as soon as you copy the file to 444 to prevent any chance of malicious code being executed. I'm often amazed how many programmers don't understand file permissions, much less that PHP has it's own chmod function. chown, chgrp and chmod are very important, yet strangely lacking in most people's code.

    Of course, if you are on a windows server file permissions mean jack ****, said security being a joke - therin if stuck in that particular hell you are already in last place before you even get out of the gate.

    Another common mistake is letting users use HTML in their posts/comments. Even if you restrict tags, attributes could be passed or make it past any string replacement. You are best off stripping HTML and all it's attributes outright, forcing the content to entities, and then using some other technique to allow markup. After all, forum softwares use bbCode for a reason!

    Writing PHP is easy, writing secure code requires an understanding of the underlying technologies of the filesystem, variable storage and code execution... Because of this I still say PHP should be learned AFTER learning a compiled language and command line server administration - as the lessons learned there apply directly to the security of an interpreted language like PHP.

    Stick with it, you'll get it eventually.
     
    deathshadow, Dec 7, 2008 IP
    RRWH likes this.
  14. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #14
    I always laugh when I see code like that.
    (int)$value

    typecast to integer - way faster than using preg.
     
    deathshadow, Dec 7, 2008 IP
  15. RRWH

    RRWH Active Member

    Messages:
    821
    Likes Received:
    49
    Best Answers:
    0
    Trophy Points:
    70
    #15
    deathshadow has said it all quite well.

    Simply NEVER trust any user input data. It is your responsibility as a coder to validate and check all data submitted. There is no 1 type fits all here, but for everything that is submitted that you want to act on you need to understand exactly what it is you expect, check that it is the exact format you expect and when (not if) it doesn't match throw it all away as being bad.

    Additionally, also check the source of all submitted data - make sure that it is being submitted from your site or an expected remote site.

    In reality, you should consider ensuring that php is patched with the suhoshin security patch. It does a lot of things that improve the security of php overall.

    As soon as you don't check input data or check the source of that said input you are at risk of something bad happening.
     
    RRWH, Dec 7, 2008 IP
  16. rene7705

    rene7705 Peon

    Messages:
    233
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #16
    "Never trust your input" is easy to say, but protecting yourself against all buffer overflows and insertions is Hard.

    But i try to at least make the point where input goes to a database alway call a sanitize function on the value being sent into the db. Esp for varchar and text fields.
    That way, i can update the sanitizer when i discover a new way i can get screwed by mr blackhat.

    I also store all changes of most tables (esp articles in my cms), and the IP from which the change came, so i can restore to previous versions, and i might even be able to put the police on mr blackhat if he's not carefull.
     
    rene7705, Dec 7, 2008 IP
  17. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #17
    Though most every case of a buffer overflow can be blamed more on the language implementation than on (in this case) php code. On a modern OS data should be stored and passed in protected memory, the so called 'no execute' bit preventing overflow attacks outright since that means code cannot be executed in data memory. It only becomes an issue when programmers ignore the separation of data from code and start trying to use their code segment to handle data.

    In PHP's case, the last documented overflow vulnerability was in the wordwrap function, and that only effected machines that did not have a nx bit, and that was fixed back with version 4.3 some five or six years ago.

    The best way to prevent those attacks is a good host with nx support (under winblows it's called DEP), and as previously mentioned keeping your underlying software up to date. "apt-get upgrade all" - USE IT.

    which remains the number one attack route for sites that do not have user uploads that are php based. This can ENTIRELY be blamed on the code written by the php developer, and is for the most part preventable following what I said up above. Sanitize, sanitize, sanitize.

    Which if they get access to the DB they could concievably erase, but it is nice to have the extra added security of a changelog since rarely do they end up with that level of access. A full changelog/undo buffer is also nice just to have as a reference even if you don't get hacked.

    Which of course ties into the final line of defense - BACKUPS. Lands sake make backups.
     
    deathshadow, Dec 8, 2008 IP
  18. keyaa

    keyaa Peon

    Messages:
    137
    Likes Received:
    9
    Best Answers:
    0
    Trophy Points:
    0
    #18
    Whitelisting. Only do and allow everything you know is secure (for example, instead of allowing HTML and filtering tags you consider harmful [blacklisting], don't allow any HTML but only limited BBCode that you carefully convert to secure HTML.) - then also typechecking, errorhandling and proper encodings.
    That's essentially the most important part on the coding side.

    Then there's server & php configuration: global variables (turn them off, obviously), file & folder permissions, directory listing.. always think about the scope of your functions and files and what they would be capable of doing in worst-case scenarios.

    Even when keeping all of this in mind, it's near to impossible to assume a web application is 100% secure once it becomes more complex.

    But then again, hey - probably you're not coding for a bank or insurance company or the like, and being hacked usually isn't something that'll wipe out your entire project or site forever. Just because a product isn't absolutely secure it will still sell (think Microsoft :D). NASA, FBI, CIA, several security companies - they've been hacked and they're still around. Be prepared in case it happens, keep logs and backups.
     
    keyaa, Dec 8, 2008 IP
  19. deathshadow

    deathshadow Acclaimed Member

    Messages:
    9,732
    Likes Received:
    1,998
    Best Answers:
    253
    Trophy Points:
    515
    #19
    The old computer joke from the 80's - the only secure computer is one with zero user access. Everything else is a matter of degree.
     
    deathshadow, Dec 8, 2008 IP
  20. karnetics

    karnetics Peon

    Messages:
    254
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #20
    If software development was so easy, Microsoft would have got Windows right on the 1st try. But even the best have problems with security. So don't give up, just try to stay up to date, well is that what Microsoft do!
     
    karnetics, Dec 8, 2008 IP