Page 1 of 1
New to Security
Posted: Sat Jul 18, 2009 4:35 pm
by captcadaver
I'm a noob at security. I'm coding a photo gallery for a student group.
There will be limited access for uploading pics, creating galleries and albums, etc. There will be commenting on pics, however.
What are some things to consider? What functions should I learn about for checking? Isn't there one I use to sanitize form input and prevent SQL injection?
Re: Noob
Posted: Sat Jul 18, 2009 5:50 pm
by jackpf
If you're letting people upload stuff, then you'll want to make sure they're only uploading the file types you allow.
And if you're inserting stuff into a mysql database, you'll have to run every piece of user supplied text through mysql_real_escape_string.
Re: Noob
Posted: Sat Jul 18, 2009 8:43 pm
by Weirdan
And if you are showing text users sent to your server somewhere on a page, you need to escape it for html display (using htmlspecialchars() for example).
Re: Noob
Posted: Sat Jul 18, 2009 11:28 pm
by Benjamin
Forum Rules 1 1.1 2 wrote:
Use descriptive subjects when you start a new thread. Vague titles such as "Help!", "Why?" are misleading and keep you from receiving an answer to your question.
You may also want to read:
- General Posting Guidelines
- Posting Code in the Forums
- PHP Manual
- PHP Tutorials
Re: Noob
Posted: Sat Jul 25, 2009 12:50 am
by kaisellgren
jackpf wrote:make sure they're only uploading the file types you allow.
I think that is kind of pointless. Consider a file that has no extension, the data stream starts with bytes 89 50 4E 47 0D 0A 1A 0A, continues with IHDR, PLTE, IDAT and IEND as well as one ancillary chunk iTXt containing PHP code. Now the question is which file type is that? Is it a PHP file or a PNG file? It's both. It can be used as a PNG file or as a PHP file. There's no way to make sure that a file is a specific type, because file type rules are so loose.
captcadaver wrote:I'm a noob at security.
Then I suggest you to research. The Internet contains loads of information and you can have a look if your local library has any security books.
captcadaver wrote:There will be limited access for uploading pics, creating galleries and albums, etc. There will be commenting on pics, however.
What are some things to consider? What functions should I learn about for checking? Isn't there one I use to sanitize form input and prevent SQL injection?
Terms
File Upload Security,
SQL Injection,
XSS and
CSRF will play quite a large role in your application. Try to learn about them as much as you can and if you have specific questions, feel free to ask here.
You may also want to show us your code so that we can point out potential problems.
Re: Noob
Posted: Sat Jul 25, 2009 5:42 am
by jackpf
kaisellgren wrote:jackpf wrote:make sure they're only uploading the file types you allow.
I think that is kind of pointless. Consider a file that has no extension, the data stream starts with bytes 89 50 4E 47 0D 0A 1A 0A, continues with IHDR, PLTE, IDAT and IEND as well as one ancillary chunk iTXt containing PHP code. Now the question is which file type is that? Is it a PHP file or a PNG file? It's both. It can be used as a PNG file or as a PHP file. There's no way to make sure that a file is a specific type, because file type rules are so loose.
Well if the file has no extension, then it's not got an extension that you allow.
Besides, if it's got php in it, and doesn't have an extensions of .php, .php4 or something that PHP is supposed to parse, then surely it's harmless.
Re: Noob
Posted: Sat Jul 25, 2009 6:25 am
by kaisellgren
jackpf wrote:if it's got php in it, and doesn't have an extensions of .php, .php4 or something that PHP is supposed to parse, then surely it's harmless.
The end of the filename does not matter. If it's executed by the parser which recognizes PHP code, then the code will be executed. Improper permissions and LFI come to my mind first. A properly constructed file upload system can allow .php extensions without problems although there is no need for that and the whole filename should be randomly generated (forced).
Re: New to Security
Posted: Sat Jul 25, 2009 6:31 am
by jackpf
Surely you'd place a htaccess in the uploads folder telling apache not to parse anything in that directory though

Re: New to Security
Posted: Sat Jul 25, 2009 8:51 am
by kaisellgren
jackpf wrote:Surely you'd place a htaccess in the uploads folder telling apache not to parse anything in that directory though

Improperly configured shared hosting environment with wrong file permissions or LFI do not obey .htaccess files (and .htaccess does not work on IIS). Actually, the uploaded files shouldn't even be in the document root at all. They should be located above the document root and under a folder only accessible by the right user (usually the home directory of the web host customer).
The issue is a lot larger than it may seem at first. If I upload a JPEG file with JavaScript, it is only dangerous to the user - not to your server, so, no configuration on the server-side protects your users. It's the way you handle files that makes you secure here.