Website security

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

djroadstar
Forum Newbie
Posts: 7
Joined: Mon Jan 15, 2007 5:41 pm

Website security

Post by djroadstar »

I,m building a website and want you to ask to review my site and look if there are security bugs.

Other feedback is welcome! The URL is http://www.koopeenpaard.nl/index2.php

Tanks!
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

We need you to post the code. We cannot, for many legal reasons, perform security checks against a URL.
User avatar
Luke
The Ninja Space Mod
Posts: 6424
Joined: Fri Aug 05, 2005 1:53 pm
Location: Paradise, CA

Post by Luke »

are there any specific areas you're worried about? If so, post the code from those areas.
djroadstar
Forum Newbie
Posts: 7
Joined: Mon Jan 15, 2007 5:41 pm

Post by djroadstar »

I have writen a function that will look at mij $_GET and $_POST array and clean it.

Mail me to info@koopeenpaard.nl and i mail you back. If you don,t beleve me, write down some words and i will post it on my site.

The security i,m worry about is that sql_injection and that somebody try to send spam by my site. I already had someone who sended me 1400 mails.....
Nodda4me
Forum Newbie
Posts: 12
Joined: Sun Jun 18, 2006 6:57 pm

Post by Nodda4me »

djroadstar: The correct punctuation is ' not ,.
djroadstar
Forum Newbie
Posts: 7
Joined: Mon Jan 15, 2007 5:41 pm

Post by djroadstar »

Nodda4me wrote:djroadstar: The correct punctuation is ' not ,.
?
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Post the code your worried about. One thing I noticed is you arn't using htmlspecialchars() on your output.. tsk tsk :wink:

Google up XSS injection.
djroadstar
Forum Newbie
Posts: 7
Joined: Mon Jan 15, 2007 5:41 pm

Post by djroadstar »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


The code against mysql injection etc

Code: Select all

function CheckArrayInput($array)
{
        //----- check if $array is not empty
        if (!empty($array))
        {
            //----- loop through the array and check if the value's been set
            foreach ($array as $value)
            {
                $array = escapeInput($value);
            }
        }        
}

function escapeInput($input)
{
	$input = strip_tags($input);
	$input = mysql_real_escape_string($input);	
	$input = trim($input);
	return $input;
}

Code against mail headers hacking

Code: Select all

function protectMailHeaders($string)
{
    $string = str_replace("\n", "", $string); // Verwijder \n
    $string = str_replace("\r", "", $string); // Verwijder \r
    $string = str_replace("\"", "\\\"", str_replace("\\", "\\\\", $string)); // Slashes van quotes

    return $string;
}

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

djroadstar wrote:I have writen a function that will look at mij $_GET and $_POST array and clean it.

Mail me to info@koopeenpaard.nl and i mail you back. If you don,t beleve me, write down some words and i will post it on my site.

The security i,m worry about is that sql_injection and that somebody try to send spam by my site. I already had someone who sended me 1400 mails.....
Nodda4me wrote:djroadstar: The correct punctuation is ' not ,.
djroadstar wrote:
Nodda4me wrote:djroadstar: The correct punctuation is ' not ,.
?
He was referring to the word's I've highlighted in red from your original post.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

CheckArrayInput() will perform no actual end result actions.
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

feyd has also posted a smarter strip tags regex before
djroadstar
Forum Newbie
Posts: 7
Joined: Mon Jan 15, 2007 5:41 pm

Post by djroadstar »

feyd wrote:CheckArrayInput() will perform no actual end result actions.
How can I fix this ?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It must return the altered array, or the array must be passed by reference to alter it directly. However there is another issue:

Code: Select all

$array = escapeInput($value);
Wipes out the array, leaving only the last value.
jmut
Forum Regular
Posts: 945
Joined: Tue Jul 05, 2005 3:54 am
Location: Sofia, Bulgaria
Contact:

Post by jmut »

djroadstar wrote:...
function escapeInput($input)
{
$input = strip_tags($input);
$input = mysql_real_escape_string($input);
$input = trim($input);
return $input;
}


...
mysql_real_escape_string is more than enough to escape input for database context. Function also makes attempt to validate data so name is not very appropriate.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Post by matthijs »

- Make a list of all variables used in your script/code.
- See were these variables enter your code.
- Decide what they should be like. Number, alpanumeric, a valid email, etc etc? Write code to validate/filter the input data to your rules.
- Asign the validated/filterd data to a "clean" array, to be used in the process of the code.

- See in which places data is outputted. Either to HTML, to a database, or somewhere else.
- In each of those places use a specific escaping funtion to make sure the data can be safely output. So htmlentities for output to HTML, mysql_real_escape_string() to a mysql db, etc.

Code: Select all

// Filter input
clean = array();

switch($_POST['color'])
{
    case 'red':
    case 'green':
    case 'blue':
        $clean['color'] = $_POST['color'];
        break;
}

if (ctype_alnum($_POST['username']))
{
    $clean['username'] = $_POST['username'];
}

// escape output
$html = array();

$html['username'] = htmlentities($clean['username'],
                    ENT_QUOTES, 'UTF-8');

echo "<p>Welcome back, {$html['username']}.</p>";

$mysql = array();

$mysql['username'] = mysql_real_escape_string($clean['username']);

$sql = "SELECT *
        FROM   profile
        WHERE  username = '{$mysql['username']}'";

$result = mysql_query($sql);
Examples straight from http://phpsecurity.org/code
I found the book php security invaluable as a start to better understand php security. Before that I also just threw every striptags/trim/escape function I could find at any variable. But the thing is, a filter/escape function used in the wrong context doesn't do much good.
Post Reply