New at PHP Security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

New at PHP Security

Post by kendall »

Hey guys,

I need some advise...

I have bee given a chance to tender for a really big project that involves building user input applications (forums, registrations), multi-lingual, and also secure download.

The tender also has requirements regarding security with the emphasis on te following vunerabilities:-

In particular, the website should not be vulnerable to the following attacks:
• Parameter injection
• Command Execution
• SQL Injection
• Cross-site scripting
• Path Manipulation
• Application mapping
• Certificate analysis
• Absolute Path Detection
• Brute Force Authentication attacks
• Directory Traversal
• Buffer Overflows
• Path Truncation
• Character Stripping
• Crawling
• Directory Enumeration
• Sensitive Developer Comments
• Error Message Identification
• Parameter Addition
• Character Encoding
I admit...i am one that has not used best practices when developing my php apps ( alot of $_GETTING) not big on internal error_handling. So now i need to learn some tricks... I am purusing this part of the forum index as we speak...Can someone like...briefly give me some common basics on security when developing code to prevent such exploits stated given that the ascope of development entails what i had stated about the projects scope of work

Thanks..
Kendall
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

The basic rundown:
  • don't trust user input (validation and verification are the name of the game)
  • shared hosts typically aren't very secure
  • CGI run PHP is a tiny bit more secure than module run
  • be aware of user affected server variables
  • don't use eval() or blind includes, use error handling where possible
  • encryption is your friend
  • higher level hashes are preferred
  • be very careful when allowing uploads
  • enforce strong passwords and rotation of passwords, verify that the new password isn't an older password (keep at least three older ones, hashed)
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Post by kendall »

feyd,

thanks...i have seriously been considering my attitude towards it now...What books would you recommend to me?

Kendall
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Hmm
  • Chris Shiftlett's Essential PHP Security (ISBN 0-596-00656-X) is pretty good if all you need is somewhat terse descriptions of exploits and vulnerabilities.
  • Code Complete (2nd edition: ISBN 0-7356-1967-0)
  • Writing Secure Code (2nd edition: ISBN 0-7356-1722-8)
  • High Assurance Design (ISBN 0-321-37577-7)
  • Preventing Web Attacks with Apache (ISBN 0-321-32128-6)
Plus the usual assortment of Martin Fowler and Gang of Four books that have been cited in OOP threads would likely be beneficial too.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

I would recommend that you develop with the options mentionned by feyd in mind... Afterwards you can use your own list to validate...

(But first developing something and then trying to add support for each security item on your list is almost certainly going to become a painfull path).
User avatar
kendall
Forum Regular
Posts: 852
Joined: Tue Jul 30, 2002 10:21 am
Location: Trinidad, West Indies
Contact:

Post by kendall »

I would recommend that you develop with the options mentionned by feyd in mind... Afterwards you can use your own list to validate...
Thanks....trust me i was really unaware of these things...however i do admit that some of it was unconsciously done.
you sell fishing lines
lol...lucrative business for a developer
Post Reply