I am coming to completion of a current script I am creating and have not implemented any security features such as SQL injections and XSS yet. Are there any other that I need to protect from? If so, could you possibly link me in the correct place such as the PHP manuals? Thanks
You should probably keep these in mind as you create the script as it might be much harder to fix when the script is done. Without knowing how your script is coded it is hard to give advice on what you should look out for but perhaps this is a good read http://phpsecurity.readthedocs.org/en/latest/Injection-Attacks.html This is also a nice read if you want to know more about how to protect your web applications http://www.amazon.com/The-Web-Application-Hackers-Handbook/dp/1118026470 Code (markup):
Are you looking for encrypting your script which restricts any re- distribution.Then you may use zend platform or use iron cube for script encryption.But it may unstable for many shared web hosting. An easy way is a portion of your script can hosted on a remote server so that only licensed users can enjoy full benefits of your script.If you need more info please PM me for details.
everything from setting maxlength on the input textboxes to the handling of the vars after post or get method.. to sanitize them from any html chars and then final conversion to the $username type of PHP var that you can then use to email, store to database, juggle , what ever SQL injection starts with the first opportunity of = your text input box has no maxlength therefore a user can enter in 10,000 lines of code if they want once they know your input textbox has no limit of characters they can enter code with the code of SQL like first_name = Biff ; DELETE * etc thats how databases get dumped/deleted or their entire contents stolen. The second is when little snippets can be passed through and activated when they store to database or are called out again...basically putting a big bug into your database thats inevitably going to screw some code when its pulled out. Imagine storing string chars and if their first name was = Bill"; BIG BUG to make your page say huh }}}} ; ;;;;;;;; if that stored to database like that and was later called into a script you know what it would do. and your ERROR would say something like ERROR unexpected end in line 256. sanitizing is based on all steps protected against.
This does absolutely nothing. Don't even waste time with this. Unless you allow HTML or output this directly into a Javascript variable, this won't cause any trouble at all.
You really should have kept security in mind since the beginning. For now, make sure that each user input from forms and each $_GET value is checked before doing executions on it like sending query to database using that input. Make sure each input is escaped with addslashes. It's not just sql injection, you also need to worry about session hijacking and cookie hijacking. For sessions make sure you destroy sessions after their use is over. If you are storing passwords, or other sensitive info in cookies or sessions, then make sure they are encrypted. Once you retrieve data from sessions or cookies, make sure to validate it before using it. Setting maxlength in forms is of not much use because anyone can simply see the forms source code and use the "name" of the input field to post any amount of data to the responding script directly without actually using the original form. Do the checks and validation using your scriptting language and not javascript because javascript can be bypassed. If you are taking sensitive info like email, password etc from forms, then make sure that those forms use the "post" method and not "get" method. The GET values will travel in the URL and will be visible in access logs and in the network. Take care
I would recommend using proper DB-handlers - mysql_ is insecure from the get-go. mysqli_ is a bit better, but it's still possible to fuck things up. PDO is my prefererred handler in PHP - it's versatile, it's mainly secure (as long as you use prepared statements) and handles all the string-parsing on its own - no need for htmlspecialchars() and addslashes() and other complete assinine functions anymore.
If you are working with databases and you have NOT taken SQL Injections in to account AS you are writing your code, odds are your programming is filled with security holes and issues. I would feel just DIRTY writing 1 lick of database code without sanitizing and validating my data first. Are you even using PDO?