secure php?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
benjaminj88
Forum Newbie
Posts: 21
Joined: Fri May 02, 2008 2:31 pm

secure php?

Post by benjaminj88 »

Alright well I am honestly pretty new at PHP and MySQL, I understand how it all works, just the actual coding it in itself is what troubles me, none the less I have been working about two to three months planning out a current personal project I have. Mainly planning on just paper with a pencil figuring out what scripts I want on my pages, what will be displayed on the pages, how things will run, the look etc.

Now that I have just started the project I have noticed a large amount of text stating "DON'T TRUST USER INPUT!" I understand the concept behind it, the only issue is these websites don't exactly teach you how to prevent invasion they just simply tell how they get through. Can someone help me out and show me various ways to strengthen my security? Or at least point me in the direction of a good tutorial or lesson?

Thanks
nincha
Forum Contributor
Posts: 191
Joined: Fri Mar 28, 2003 12:30 pm
Location: CA, USA

Re: secure php?

Post by nincha »

search sql injection... pretty much dont trust clients inputs - $_COOKIE, $_POST, $_GET .... nothing much to it.
User avatar
lafever
Forum Commoner
Posts: 99
Joined: Sat Apr 05, 2008 2:03 pm
Location: Taylor, MI

Re: secure php?

Post by lafever »

There's lots and lots of topics on this. You really need to thoughtfully plan out what it is you're trying to do and how it can be avoided. What should each and every $_GET, $_POST, $_COOKIE, $_SERVER (Some of these can even be forged) sent by the user contain? If it should contain only letters and numbers, then make sure it's being validated to only allow that. Escape all data going into a SQL query using mysql_real_escape_string. Just research up on it man, there are tons of articles out there. It took me a while of reading before I actually grasped a good concept on writing secure code.

Also, a suggestion if I may, if your script ever should need to accept HTML for input I highly recommend HTMLPurifier
matthewl
Forum Newbie
Posts: 13
Joined: Sat May 03, 2008 5:28 am

Re: secure php?

Post by matthewl »

I think timmy has given you the best advice there.

If you know something will be a number, make sure that it is a number before you do anything with it.

Make sure that your not on a system where register globals are enabled.

One pratice that you will find useful it to use constants when something is one.

For example if you set your base path for doing includes, make sure you set it as a constant that way if register globals ever does get turned on, there is no chance of the path getting overwritten.
benjaminj88
Forum Newbie
Posts: 21
Joined: Fri May 02, 2008 2:31 pm

Re: secure php?

Post by benjaminj88 »

thanks timmy i'll make sure to look into it, and matt as you probably read, i am pretty new so can you explain what you meant a little more?
User avatar
lafever
Forum Commoner
Posts: 99
Joined: Sat Apr 05, 2008 2:03 pm
Location: Taylor, MI

Re: secure php?

Post by lafever »

This would be an example of usage of constants.

Code: Select all

 
define('include_path', '/home/user/dir');
 
include(include_path.'/page.php');
 

You pretty much make a constants include that will define stuff such as database info, include paths, www paths, etc. Stuff that will vary to say if you are to move to a new host or whatever, all you would need to change is the information in the constants.php and your scripts would function properly still.

The way I would recommend to do it is place the files in a directory not accessible to the web and then have one include in the index.php that includes a single page. The constants.php then defines the variables and includes all of the include files at the bottom of it.

Code: Select all

 
// index.php
include('../includes/constants.php');
 
// rest of code
 

Code: Select all

 
//constants.php
 
// define constants
define('include_path', '/home/user/dir/');
// etc etc
 
// include files
include(include_path.'db.php');
include(include_path.'functions.php');
// etc etc
 
The above method you can then use the constants in any of your files, just make sure the constants is called before anything. Then if you were to switch hosts or whatever (move from localhost to web), you change some variables in constants.php and you're good to go. You can define database info, emails, www paths, include paths, or whatever you want. I hope this helps some.
User avatar
Verminox
Forum Contributor
Posts: 101
Joined: Sun May 07, 2006 5:19 am

Re: secure php?

Post by Verminox »

A idea you can keep is, whenever you are using user input for any purpose, think about what you expect that data to be, and make sure that the data is exactly that, and prevent any way of the data being anything other than what you expect.

You might use user input for the following common reasons:
1. To store in a variable and execute expressions based on that expression. Here, you just need to do some simple PHP validation such as type checking (if you need an integer, make sure the input is an integer, etc.) or range checking (if you are expecting values between 1 and 100, dont allow -50 or 300), if you are expecting a string which is part of a set of known strings (such as the name of color), then test it for each value (say by using the switch construct), etc.

2. To include other files based on user input. Make sure to not include a filename having a user-submitted variable, instead check case by case, such as by using switch.

3. To store in a database. Make sure to escape malicous characters such as quotes (See SQL Injection, mysql_real_escape_string or read Modred's Paper (something i found useful))

4. To echo it back to an HTML page (See htmlentities() and XSS)

5. To build a string that contains PHP and then eval() it. JUST NEVER DO THIS. eval() = evil. Don't even think about doing this.
User avatar
puke7
Forum Newbie
Posts: 12
Joined: Sat May 10, 2008 11:49 am

Re: secure php?

Post by puke7 »

I have been using addslashes() all this time for variables entering MySQL. So now I am curious about the difference between that and mysql_real_escape_string().

addslashes escapes the follwong --
single quote ('), double quote ("), backslash (\) and NUL

mysql_real_escape_string() escapes the following --
\x00, \n, \r, \, ', " and \x1a

...and I have never had a problem. \x00 & NUL are the same right? Why do I need to escape Newline and carriageReturn? And according to the ascii table \x1a = SUB (substitute) but I didn't find any info regarding that character and MySQL -- so what is it?

Very curious!
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: secure php?

Post by Mordred »

Post Reply