1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

PHP security for script

Discussion in 'PHP' started by ashleysly, Dec 13, 2014.

  1. #1
    I am coming to completion of a current script I am creating and have not implemented any security features such as SQL injections and XSS yet. Are there any other that I need to protect from? If so, could you possibly link me in the correct place such as the PHP manuals?

    Thanks
     
    ashleysly, Dec 13, 2014 IP
  2. Anveto

    Anveto Well-Known Member

    Messages:
    697
    Likes Received:
    40
    Best Answers:
    19
    Trophy Points:
    195
    #2
    You should probably keep these in mind as you create the script as it might be much harder to fix when the script is done. Without knowing how your script is coded it is hard to give advice on what you should look out for but perhaps this is a good read http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html

    This is also a nice read if you want to know more about how to protect your web applications
    http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470
    Code (markup):
     
    Anveto, Dec 14, 2014 IP
  3. hilhilginger

    hilhilginger Well-Known Member

    Messages:
    322
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    103
    #3
    Are you looking for encrypting your script which restricts any re- distribution.Then you may use zend platform or use iron cube for script encryption.But it may unstable for many shared web hosting. An easy way is a portion of your script can hosted on a remote server so that only licensed users can enjoy full benefits of your script.If you need more info please PM me for details.
     
    hilhilginger, Dec 27, 2014 IP
  4. ezprint2008

    ezprint2008 Well-Known Member

    Messages:
    611
    Likes Received:
    15
    Best Answers:
    2
    Trophy Points:
    140
    Digital Goods:
    1
    #4
    everything from setting maxlength on the input textboxes
    to the handling of the vars after post or get method.. to sanitize them from any html chars
    and then final conversion to the $username type of PHP var that you can then use to email, store to database, juggle , what ever

    SQL injection starts with the first opportunity of = your text input box has no maxlength therefore a user can enter in 10,000 lines of code if they want
    once they know your input textbox has no limit of characters they can enter code with the code of SQL like first_name = Biff ; DELETE * etc
    thats how databases get dumped/deleted or their entire contents stolen.
    The second is when little snippets can be passed through and activated when they store to database or are called out again...basically putting a big bug into your database thats inevitably going to screw some code when its pulled out. Imagine storing string chars and if their first name was = Bill"; BIG BUG to make your page say huh }}}} ; ;;;;;;;;
    if that stored to database like that and was later called into a script you know what it would do. and your ERROR would say something like ERROR unexpected end in line 256.

    sanitizing is based on all steps protected against.
     
    ezprint2008, Jan 12, 2015 IP
  5. nico_swd

    nico_swd Prominent Member

    Messages:
    4,153
    Likes Received:
    344
    Best Answers:
    18
    Trophy Points:
    375
    #5
    This does absolutely nothing. Don't even waste time with this.

    Unless you allow HTML or output this directly into a Javascript variable, this won't cause any trouble at all.
     
    nico_swd, Jan 25, 2015 IP
  6. JEET

    JEET Notable Member

    Messages:
    3,825
    Likes Received:
    502
    Best Answers:
    19
    Trophy Points:
    265
    #6
    You really should have kept security in mind since the beginning.

    For now, make sure that each user input from forms and each $_GET value is checked before doing executions on it like sending query to database using that input.
    Make sure each input is escaped with addslashes.

    It's not just sql injection, you also need to worry about session hijacking and cookie hijacking.

    For sessions make sure you destroy sessions after their use is over.
    If you are storing passwords, or other sensitive info in cookies or sessions, then make sure they are encrypted.
    Once you retrieve data from sessions or cookies, make sure to validate it before using it.

    Setting maxlength in forms is of not much use because anyone can simply see the forms source code and use the "name" of the input field to post any amount of data to the responding script directly without actually using the original form.

    Do the checks and validation using your scriptting language and not javascript because javascript can be bypassed.

    If you are taking sensitive info like email, password etc from forms, then make sure that those forms use the "post" method and not "get" method. The GET values will travel in the URL and will be visible in access logs and in the network.

    Take care
     
    JEET, Jan 26, 2015 IP
  7. PoPSiCLe

    PoPSiCLe Illustrious Member

    Messages:
    4,623
    Likes Received:
    725
    Best Answers:
    152
    Trophy Points:
    470
    #7
    I would recommend using proper DB-handlers - mysql_ is insecure from the get-go. mysqli_ is a bit better, but it's still possible to fuck things up. PDO is my prefererred handler in PHP - it's versatile, it's mainly secure (as long as you use prepared statements) and handles all the string-parsing on its own - no need for htmlspecialchars() and addslashes() and other complete assinine functions anymore.
     
    PoPSiCLe, Jan 26, 2015 IP
  8. NetStar

    NetStar Notable Member

    Messages:
    2,471
    Likes Received:
    541
    Best Answers:
    21
    Trophy Points:
    245
    #8
    If you are working with databases and you have NOT taken SQL Injections in to account AS you are writing your code, odds are your programming is filled with security holes and issues.

    I would feel just DIRTY writing 1 lick of database code without sanitizing and validating my data first. Are you even using PDO?
     
    NetStar, Feb 1, 2015 IP