Page 1 of 1

New at PHP Security

Posted: Mon Oct 16, 2006 8:47 pm
by kendall
Hey guys,

I need some advise...

I have bee given a chance to tender for a really big project that involves building user input applications (forums, registrations), multi-lingual, and also secure download.

The tender also has requirements regarding security with the emphasis on te following vunerabilities:-

In particular, the website should not be vulnerable to the following attacks:
• Parameter injection
• Command Execution
• SQL Injection
• Cross-site scripting
• Path Manipulation
• Application mapping
• Certificate analysis
• Absolute Path Detection
• Brute Force Authentication attacks
• Directory Traversal
• Buffer Overflows
• Path Truncation
• Character Stripping
• Crawling
• Directory Enumeration
• Sensitive Developer Comments
• Error Message Identification
• Parameter Addition
• Character Encoding
I admit...i am one that has not used best practices when developing my php apps ( alot of $_GETTING) not big on internal error_handling. So now i need to learn some tricks... I am purusing this part of the forum index as we speak...Can someone like...briefly give me some common basics on security when developing code to prevent such exploits stated given that the ascope of development entails what i had stated about the projects scope of work

Thanks..
Kendall

Posted: Mon Oct 16, 2006 9:40 pm
by feyd
The basic rundown:
  • don't trust user input (validation and verification are the name of the game)
  • shared hosts typically aren't very secure
  • CGI run PHP is a tiny bit more secure than module run
  • be aware of user affected server variables
  • don't use eval() or blind includes, use error handling where possible
  • encryption is your friend
  • higher level hashes are preferred
  • be very careful when allowing uploads
  • enforce strong passwords and rotation of passwords, verify that the new password isn't an older password (keep at least three older ones, hashed)

Posted: Tue Oct 17, 2006 9:04 am
by kendall
feyd,

thanks...i have seriously been considering my attitude towards it now...What books would you recommend to me?

Kendall

Posted: Tue Oct 17, 2006 9:23 am
by feyd
Hmm
  • Chris Shiftlett's Essential PHP Security (ISBN 0-596-00656-X) is pretty good if all you need is somewhat terse descriptions of exploits and vulnerabilities.
  • Code Complete (2nd edition: ISBN 0-7356-1967-0)
  • Writing Secure Code (2nd edition: ISBN 0-7356-1722-8)
  • High Assurance Design (ISBN 0-321-37577-7)
  • Preventing Web Attacks with Apache (ISBN 0-321-32128-6)
Plus the usual assortment of Martin Fowler and Gang of Four books that have been cited in OOP threads would likely be beneficial too.

Posted: Tue Oct 17, 2006 9:50 am
by timvw
I would recommend that you develop with the options mentionned by feyd in mind... Afterwards you can use your own list to validate...

(But first developing something and then trying to add support for each security item on your list is almost certainly going to become a painfull path).

Posted: Tue Oct 17, 2006 10:05 am
by kendall
I would recommend that you develop with the options mentionned by feyd in mind... Afterwards you can use your own list to validate...
Thanks....trust me i was really unaware of these things...however i do admit that some of it was unconsciously done.
you sell fishing lines
lol...lucrative business for a developer