New to Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
captcadaver
Forum Newbie
Posts: 17
Joined: Fri Jul 17, 2009 11:12 pm

New to Security

Post by captcadaver »

I'm a noob at security. I'm coding a photo gallery for a student group.

There will be limited access for uploading pics, creating galleries and albums, etc. There will be commenting on pics, however.

What are some things to consider? What functions should I learn about for checking? Isn't there one I use to sanitize form input and prevent SQL injection?
Last edited by captcadaver on Sun Jul 19, 2009 3:25 am, edited 2 times in total.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Noob

Post by jackpf »

If you're letting people upload stuff, then you'll want to make sure they're only uploading the file types you allow.

And if you're inserting stuff into a mysql database, you'll have to run every piece of user supplied text through mysql_real_escape_string.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Noob

Post by Weirdan »

And if you are showing text users sent to your server somewhere on a page, you need to escape it for html display (using htmlspecialchars() for example).
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Noob

Post by Benjamin »

Forum Rules 1 1.1 2 wrote: Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.
You may also want to read:
  1. General Posting Guidelines
  2. Posting Code in the Forums
  3. PHP Manual
  4. PHP Tutorials
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Noob

Post by kaisellgren »

jackpf wrote:make sure they're only uploading the file types you allow.
I think that is kind of pointless. Consider a file that has no extension, the data stream starts with bytes 89 50 4E 47 0D 0A 1A 0A, continues with IHDR, PLTE, IDAT and IEND as well as one ancillary chunk iTXt containing PHP code. Now the question is which file type is that? Is it a PHP file or a PNG file? It's both. It can be used as a PNG file or as a PHP file. There's no way to make sure that a file is a specific type, because file type rules are so loose.
captcadaver wrote:I'm a noob at security.
Then I suggest you to research. The Internet contains loads of information and you can have a look if your local library has any security books.
captcadaver wrote:There will be limited access for uploading pics, creating galleries and albums, etc. There will be commenting on pics, however.
What are some things to consider? What functions should I learn about for checking? Isn't there one I use to sanitize form input and prevent SQL injection?
Terms File Upload Security, SQL Injection, XSS and CSRF will play quite a large role in your application. Try to learn about them as much as you can and if you have specific questions, feel free to ask here.

You may also want to show us your code so that we can point out potential problems.
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: Noob

Post by jackpf »

kaisellgren wrote:
jackpf wrote:make sure they're only uploading the file types you allow.
I think that is kind of pointless. Consider a file that has no extension, the data stream starts with bytes 89 50 4E 47 0D 0A 1A 0A, continues with IHDR, PLTE, IDAT and IEND as well as one ancillary chunk iTXt containing PHP code. Now the question is which file type is that? Is it a PHP file or a PNG file? It's both. It can be used as a PNG file or as a PHP file. There's no way to make sure that a file is a specific type, because file type rules are so loose.
Well if the file has no extension, then it's not got an extension that you allow.

Besides, if it's got php in it, and doesn't have an extensions of .php, .php4 or something that PHP is supposed to parse, then surely it's harmless.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Noob

Post by kaisellgren »

jackpf wrote:if it's got php in it, and doesn't have an extensions of .php, .php4 or something that PHP is supposed to parse, then surely it's harmless.
The end of the filename does not matter. If it's executed by the parser which recognizes PHP code, then the code will be executed. Improper permissions and LFI come to my mind first. A properly constructed file upload system can allow .php extensions without problems although there is no need for that and the whole filename should be randomly generated (forced).
User avatar
jackpf
DevNet Resident
Posts: 2119
Joined: Sun Feb 15, 2009 7:22 pm
Location: Ipswich, UK

Re: New to Security

Post by jackpf »

Surely you'd place a htaccess in the uploads folder telling apache not to parse anything in that directory though :)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: New to Security

Post by kaisellgren »

jackpf wrote:Surely you'd place a htaccess in the uploads folder telling apache not to parse anything in that directory though :)
Improperly configured shared hosting environment with wrong file permissions or LFI do not obey .htaccess files (and .htaccess does not work on IIS). Actually, the uploaded files shouldn't even be in the document root at all. They should be located above the document root and under a folder only accessible by the right user (usually the home directory of the web host customer).

The issue is a lot larger than it may seem at first. If I upload a JPEG file with JavaScript, it is only dangerous to the user - not to your server, so, no configuration on the server-side protects your users. It's the way you handle files that makes you secure here.
Post Reply