Steps to take for security and good code

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Steps to take for security and good code

Post by php_wiz_kid »

Hey everyone,
I would like to know what I should do to make sure I'm writing good code that is secure. I have error_reporting set to E_ALL so none of my scripts have any errors pertaining to E_ALL. I also declare all my variables using the settype() function. I know that variable declaration and setting a variable data type are not needed or really necessary in PHP but I've read in places that it's good practice (especially with E_ALL). Also, when using global variables such as $_POST, $_GET, and $_SESSION I get errors that say:
Undefined index: [form object name] in ...
Does anyone know a good way of getting around this. Right now I have my scripts set to turn all !isset data to null, like this:

Code: Select all

if(!isset($_POST['username'])) {
  $_POST['username'] = null;
}
I'm afraid this isn't good practice and I don't really know what to do about it.

I also get this error:
Undefined offset:1 in ...
I really don't know what to do about that one. Here's the line of code it's throwing this out at:

Code: Select all

list($user, $host) = split("@", $_POST['email']);
I also validate like mad so I think I've got user validation down.

Thanks in advance to anyone with tips and help. Also, I'm not new to PHP programming so please don't treat me like I'm some stupid beginner. I'm self taught and haven't really had anybody set me in any real direction. What I know is from what I've read in forums and a few books, and I try the best I can.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

sounds like you have the basics covered.. as for your undefined offset: use preg_match() to determine if the address false into a basic format. split is a posix regular expression function, to which you aren't really using the power of. Explode() may be better in this case. However, I'd allow the returned array fall into a single variable then checking if the size of the array is two elements.
php_wiz_kid
Forum Contributor
Posts: 181
Joined: Tue Jun 24, 2003 7:33 pm

Post by php_wiz_kid »

Is there any place I can find what all the slashes and stuff do with preg_match()? I looked in the PHP docs but haven't found anything. Doesn't it have to do something with PERL? Since I know nothing about PERL I guess that really doesn't help :?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

we've posted many links to various informational sites about regular expressions all over the boards here. You may want to start by looking through the PHP Starter pack and Useful Posts threads in the PHP - Code board.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Steps to take for security and good code

Post by Roja »

php_wiz_kid wrote:Hey everyone,
Does anyone know a good way of getting around this. Right now I have my scripts set to turn all !isset data to null, like this:

Code: Select all

if(!isset($_POST['username'])) {
  $_POST['username'] = null;
}
I'm afraid this isn't good practice and I don't really know what to do about it.
As far as I know, thats good practice - its setting an unused variable to a blank value.

I use it all the time, and I havent seen an alternative that was "more secure".
php_wiz_kid wrote: I also get this error:
Undefined offset:1 in ...
The problem there is that an array (in this case, probably $host) has an element that isnt defined. So when you explode it, its receiving data that doesnt define the first offset. My suggestion is to move away from explode, and try looking at the data to find a different method to break it up.

In all likelihood, the email address either isnt what you expected, or your explode is too simplistic.

Try doing a var_dump of the contents of $user and $host.. I'm willing to bet one of them isnt working right.
User avatar
trukfixer
Forum Contributor
Posts: 174
Joined: Fri May 21, 2004 3:14 pm
Location: Miami, Florida, USA

Post by trukfixer »

php_wiz_kid wrote:Is there any place I can find what all the slashes and stuff do with preg_match()? I looked in the PHP docs but haven't found anything. Doesn't it have to do something with PERL? Since I know nothing about PERL I guess that really doesn't help :?
HI. Just wanted to suggest that you can practice and play with your PREG_* regex expressions all you want at this little tool I made (very simplistic, but I use it often to tweak regex patterns until I get exactly the results Im looking for..)

You can find it at http://www.phplogix.com/meta/index.php

BTW.. PREG_* prefix basically is short for "Perl-Compatible Regular Expression" so if you search php.net for that on teh whole site, you'll probably find a wealth of info

(the site itself is really pointless, if you look for just phplogix.com - I havent built any coherent site on it, at this point, I just use it for my development area :)

I initially set it up for my own use.. feel free to use it for your own testing as you wish..

by the / before and after your pattern defines the whole pattern for php.. the \ backslash is a "literal" meaning that you need to do like \. to tell php to look JUST for the decimal point , otherwise if you dont, php takes . to mean "any character" .. basically you need to escape the special characters if you want those to be literally looked for in your regex pattern

and that's just a sample primer on it ..

What I do to normally avoid errors on $_POST checks is the use of empty() rather than isset . you could set a value to "" and isset would see it as set, under some circumstances.. and get past your checks for those values..

I guess it's all just up to the programmer style and preference :)

Hope this helps.. looks like the other guys here have most everything else covered.. :)

Bri!
Post Reply