1. Advertising
    y u no do it?

    Advertising (learn more)

    Advertise virtually anything here, with CPM banner ads, CPM email ads and CPC contextual links. You can target relevant areas of the site and show ads based on geographical location of the user if you wish.

    Starts at just $1 per CPM or $0.10 per CPC.

Common security mistakes

Discussion in 'PHP' started by Dejavu, Mar 3, 2006.

  1. #1
    I would like to know what are the common security pitfalls one should know about when designing a site in php. (and how to avoid them)

    So far I have:
    *allways make sure addslashes is used in the right places, especially for any database queries
    *turn register_globals off
    *use intval() on $_GET variables to help prevent html injection.

    anything else? I would really appreciate input from someone with more experience here.

    thanks.
     
    Dejavu, Mar 3, 2006 IP
  2. clancey

    clancey Peon

    Messages:
    1,099
    Likes Received:
    63
    Best Answers:
    0
    Trophy Points:
    0
    #2
    There are a couple of things which I believe should be done, at a minimum.

    One is to move all files which are not directly called by the visitor to a directory which cannot be directlry accessed by your web server. For instance, I put those files into a library directory. On Linux, I set up the web folder as follows:

    /home/webfolder/website/

    and place the library in

    /home/webfolder/myphplib/

    Apache serves pages from /home/webfolder/website/ Pages in that directory can load pages from the myphplib directory but those pages cannot be directly accessed by Apache.

    This is the strategy I use for programs I write. Unfortunately, other authors are less paranoid than I. An exception is Mambo, and I presume Joomla, which use a defined variable to determine whether or not you have the right to access a page.

    For example:

    
    /** ensure this file is being included by a parent file */
    defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
    
    Code (markup):
    The index.php file contains the following code:

    
    /** Set flag that this is a parent file  */
    define( '_VALID_MOS', 1 );
    
    Code (markup):
    The second minimum thing to do is to make sure that you verify input on all forms before acting upon the information. This includes neutralizing all characters which have special meaning for the shell, such as the "pipe" or "|". If you expect an URL, make sure it is a valid URL form and convert all spaces in the URL to something else, like "_". Make sure email addresses as valid in form. And so forth.

    This is especially true of data you intend to put into a MySql database. When you do so, you are running a command., If you do not make sur ethe information conforms in every way with what you expect, you could become a target for hackers.

    Do not allow people to upload files to your server. You may trust your friends, by can you trust your enemies?

    Finally, assume hackers will find you and that they will try to guess your ssh user names and passwords, as well as probe your scripts. Every day I receive some form of attack.
     
    clancey, Mar 3, 2006 IP
  3. neroux

    neroux Active Member

    Messages:
    566
    Likes Received:
    8
    Best Answers:
    0
    Trophy Points:
    60
    #3
    This is rather about client security, but ensure that all data you received from the user and which will be output as part of HTML to other users is run through htmlentities(). This of course only if your user shall not be able to use HTML to modify the appearance. For a less restrict version you can also use strip_tags().
     
    neroux, Mar 4, 2006 IP
  4. rossriley

    rossriley Guest

    Messages:
    25
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #4
    One of the most common, and one that you seemed to have fallen into is that addslashes is useful against SQL injection. It is not, instead you must use a database specific escape function.

    If using Mysql this is mysql_real_escape_string.
     
    rossriley, Mar 4, 2006 IP
  5. Dejavu

    Dejavu Peon

    Messages:
    916
    Likes Received:
    53
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Care to explain a bit more? As far as I know, there is really no difference between php and mysql escapeslashes version. Are you saying the php version is somehow unsafe?
     
    Dejavu, Mar 4, 2006 IP
  6. Mong

    Mong ↓↘→ horsePower

    Messages:
    4,789
    Likes Received:
    734
    Best Answers:
    0
    Trophy Points:
    235
    #6
    IMHO form validation and before any sql query you must make sure that seed is well safe.
     
    Mong, Mar 4, 2006 IP
  7. Andrewaclt

    Andrewaclt Peon

    Messages:
    25
    Likes Received:
    1
    Best Answers:
    0
    Trophy Points:
    0
    #7
    Agreed, the key to web application security is validating user input. Never, ever trust anything from the user, treat everybody like they want to root your box.

    It may also be useful to read several articles about cross site scripting and sql injection because knowing how these attacks work makes it leaps and bounds easier to program secure code and follow good security practices.
     
    Andrewaclt, Mar 4, 2006 IP
  8. T0PS3O

    T0PS3O Feel Good PLC

    Messages:
    13,219
    Likes Received:
    777
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Sitepoint has a good article on the most common ones here.
     
    T0PS3O, Mar 4, 2006 IP
  9. rossriley

    rossriley Guest

    Messages:
    25
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Yes Chris Shifflet recently wrote an example of how this is done. An attacker can add 0xbf27 into a textfield which addslashes() will modify to become 0xbf5c27 this is now an accented A followed by a single quote.

    Addslashes has actually been used to inject quotation marks where none existed.

    This is the very reason why the mysql_real_escape_string() function exists. There are equivalents for each database implementation. These must be used in place of addslashes.
     
    rossriley, Mar 4, 2006 IP
    vishwaa likes this.