Registration - Slimming wasted time w/o comprising security?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Registration - Slimming wasted time w/o comprising security?

Post by JAB Creations »

I've done a couple basic PHP/MySQL registration scripts before though just for practice and now I've essentially started working on a more refined cleaned up version that I hope will be used in at least two live projects some time in the future.

I have two major goals with the registration: reducing or eliminating wasted time typically associated with pretty much all existing registration experiences (which won't be difficult as it comes down to being a savvy designer) and ensuring that when I do so I don't compromise security.

I am testing locally and using live PHP 5.2 and MySQL 5 and will never be using older versions of either. Also these questions pertain to security but not spam. I've got the later covered but it's security in general that I'm interested in right now.

1.) When should I regex $_POST data? I presume always though it's clear things like SQL injection have been dealt with at least partially dealt with. What percentage of threats that I should be concerned about in regards to $_POST versus other threats (as far as programming goes). I have a decent understanding of permissions (CHMOD) for example. My site is coded to not display errors when the $_SERVER['HTTP_HOST'] is anything other then localhost.

2.) When a user registers I'm interested in having them automatically signed in with a session even before their account is activated. Of course things that require activation won't be accessible until their account is activated but is there any possible threat at that point in allowing someone to be signed in immediately during registration? I presume the main concern would be again some sort of injection attack that spawns errors in conjunction with how the programmed PHP handles sessions in example...?

3.) I have a power user feature where account activation is immediately available after the registration $_POST with a text input field. If you're a power user you'll receive a notification of a new email message in your inbox including the subject (such as Yahoo Messenger/Yahoo Mail). The three digit activation code is in the subject essentially allowing the newly registered user to enter in the three digits and activate their account immediately without having to go through the process of finding the activation email, waiting for the web mail pages to load, etc. I'm not worried about the issue of whether they received the email in this instance and the range is large enough that random guesses won't be effective considering I will reset the activation key once every x failed attempts. Does any one think there could be some vulnerabilities in this setup however?

4.) I was testing the registration last night, closed Firefox, reopened it this morning, and the session obviously expired. I've come across sites that allow you to remain logged in via a cookie regardless of sessions, is this advisable upon registration? What should I be concerned about in this regards? If I need to regex the hell out of everything I'd obviously need to check the cookie as well I can only presume considering I would imagine many people do not filter cookies making it a ripe target for hacking attempts?

5.) What are common mistakes made by people when they're learning PHP in conjunction with MySQL? What (if any) questions might I have missed? Any good coding practices I should consider adopting?
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Registration - Slimming wasted time w/o comprising security?

Post by VirtuosiMedia »

JAB Creations wrote: 3.) I have a power user feature where account activation is immediately available after the registration $_POST with a text input field. If you're a power user you'll receive a notification of a new email message in your inbox including the subject (such as Yahoo Messenger/Yahoo Mail). The three digit activation code is in the subject essentially allowing the newly registered user to enter in the three digits and activate their account immediately without having to go through the process of finding the activation email, waiting for the web mail pages to load, etc. I'm not worried about the issue of whether they received the email in this instance and the range is large enough that random guesses won't be effective considering I will reset the activation key once every x failed attempts. Does any one think there could be some vulnerabilities in this setup however?
I don't know if I really understand what you're doing with your activation code here. I may be wrong, but to me, the point of an activation email was always to see if the email address entered for the account is a valid one. How will you find out if the email is valid or fake or does it matter?
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Registration - Slimming wasted time w/o comprising security?

Post by JAB Creations »

The only way the visitor will get the activation code is if the email ends up in their inbox. The power user feature is pretty simple: once you register the second page you'll see will have a single text field and a submit button. If you have a setup such as Yahoo Messenger/Yahoo Mail you will receive your activation email which will have the activation code in the subject. Provided you're signed in Yahoo Messenger when you receive an email in the double Yahoo setup you'll see the activation code in the subject line when Yahoo Messenger makes you aware of the new message (hence why I reply to messages as quickly as I do).

So you have to enter a valid email address to receive the activation code. However you don't necessarily have to go to your email and manually click on a link. Hence: power user. A power user isn't a power user if they have to do mundane tasks that can be easily automated. ...and yes the verification of the email address is important. I wanted to ensure there weren't any loop holes however which is why I mentioned it.
User avatar
VirtuosiMedia
Forum Contributor
Posts: 133
Joined: Thu Jun 12, 2008 6:16 pm

Re: Registration - Slimming wasted time w/o comprising security?

Post by VirtuosiMedia »

I'm still learning myself, so if I err, I hope someone more experienced than I will point it out.

Regarding your power user idea, I can honestly say that I have never seen or heard of a site that does something like that. Placing a registration code in the subject line might seem like a good idea at first, but I think you'll run into problems. How will a user know what it is when they've never encountered something like it before? There are also the user interface and branding sides of your subject line...how will they react to it? Typically, most IM clients I've used only have a little dialog box that pops up with the email subject header for a few seconds. I think your number of users who will be running an IM client and can copy the activation code quickly enough and know what to do with it won't be worth breaking convention on this one.

I think you might be a little overeager on the regex aspect as well. Everything I've read here and elsewhere has said to use regex sparingly and as last resort because it's slower than other functions that can often do the same thing. You can help secure against SQL injection without using regex by using mysql_real_escape_sting(). SQL injection doesn't really have anything to do with whether or not an account is activated, but more to do with how you filter and validate your user inputted data. You would do well to do a little research on SQL injection because it will show you how to secure your site. Although there are many others, one site I recommend for injection and other security issues is: http://phpsec.org/projects/guide/. I hope this helps somewhat.
User avatar
JAB Creations
DevNet Resident
Posts: 2341
Joined: Thu Jan 13, 2005 6:44 pm
Location: Sarasota Florida
Contact:

Re: Registration - Slimming wasted time w/o comprising security?

Post by JAB Creations »

I've had a lot of help from folks here of late in regards to avoiding regex whenever possible and I'm well aware that it creates greater amounts of server load then other methods of approach. That is why I'm curious about of methods for handling user's data. By the way the activation code is only three digits long and tonight I just finished programming an account lock once the user makes x number of failed attempts. I'm actually pretty much enjoying this adventure with PHP and MySQL right now because I'm not stuck on anything that I can't seem to get around...at least not at the moment. :mrgreen:
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: Registration - Slimming wasted time w/o comprising security?

Post by matthijs »

I think the main issue you have to understand well is the single rule of: never trust any (user) data.

Then, when programming, it's about two things:
- filter/validate input. that's any data coming into a certain piece of code.
- escape output. that's any data being outputted to anything else.

So for example any $_POST value has to be filtered/validated, to make sure it's the kind of data you want. You can use existing functions or regex. I would not worry about any performance issue. I mean, even if a few regexes would be slow (which they are not), it wouldn't matter for an operation like registration for a web application. Then, every time that piece of data is sent to something else you need to escape it. For a mysql db that would mean using a function like mysql_real_escape_string or even better using something like PDO with prepared statements and bound parameters. For output to HTML use an escape function like htmlentities.
Post Reply