making a web app - is my core file secure?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

itsalmostreal
Forum Newbie
Posts: 8
Joined: Sat Jun 30, 2007 3:50 pm

Post by itsalmostreal »

could i get an example of how i should encrypt the password in my session handling section?

and i see where youre going now, you're asking what happens if POST or GET is multidimensional. while i dont plan on that, how would you recommend i deal with it?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Code: Select all

function stripslashes_deep($x)
{
    return (is_array($x)) ? array_map('stripslashes_deep', $x) : stripslashes($x);
}
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

itsalmostreal wrote:could i get an example of how i should encrypt the password in my session handling section?

Code: Select all

$password = sha1($_POST['password']);
Your passwords should be encrypted in the database as well.

I suggest you use SHA256 encryption.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

make_safe() is checking a constant..
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

I don't see anything glaringly insecure, but that doesn't mean it is 100% secure, depending on the context and code that it is used with.

@feyd, are you sure it's checking a constant? I don't see it.
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

astions wrote:@feyd, are you sure it's checking a constant? I don't see it.
Yes. Look closely at the if statement.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Post by Benjamin »

Ha good catch. Someone needs to turn their error reporting up a few notches.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

feyd wrote:
astions wrote:@feyd, are you sure it's checking a constant? I don't see it.
Yes. Look closely at the if statement.
*Gasp* I missed that. It's all GeSHi's fault for making it look okay! :P
User avatar
Ollie Saunders
DevNet Master
Posts: 3179
Joined: Tue May 24, 2005 6:01 pm
Location: UK

Post by Ollie Saunders »

Regarding slashes you should remove all the slashes from your superglobals to start with, one of the first things always executed. There are a couple of good functions for doing this in the notes for get_magic_quotes_gpc(). Alternatively you could use an .htaccess (doesn't work if PHP is running as a CGI) to turn off magic quotes from the outset

Code: Select all

php_flag magic_quotes_gpc off
and then die in your app very early if the configuration isn't as expected

Code: Select all

get_magic_quotes_gpc() and die('Ahhh magic quotes! Get them off me!');
. From then on you know everything is free of magic quotes and you can use mysql_real_escape_string(), which is much more secure than addslashes() for preventing mysql injection vulnerabilities.

I would revise the name make_safe it doesn't describe very accurately what it is doing. There are many ways of making data safe depending on the destination. Also this...

Code: Select all

function make_safe($variable) {
        if (get_magic_quotes_gpc) {
                $variable = stripslashes($variable);
                $variable = trim($variable);
                $variable = htmlentities($variable, ENT_QUOTES);
        } else {
                $variable = trim($variable);
                $variable = htmlentities($variable, ENT_QUOTES);
        }
        return $variable;
}
can be written as this...

Code: Select all

function make_safe($variable) {
        if (get_magic_quotes_gpc()) {
                $variable = stripslashes($variable);
        }
        return htmlentities(trim($variable), ENT_QUOTES);
}
@superdezign, a hashed and salted password is much better than an encrypted one.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

ole wrote:@superdezign, a hashed and salted password is much better than an encrypted one.
That is sooo something I want a resource on that isn't as long as one of Mordred's threads. This isn't the place to ask, but I've gotta know! ^_^
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

superdezign wrote:That is sooo something I want a resource on that isn't as long as one of Mordred's threads. This isn't the place to ask, but I've gotta know! ^_^
viewtopic.php?t=39096&highlight=sha256+sha1+md5+salt may be of interest.
Post Reply