PHP Security

  • Kurthead+1
  • Graduate
  • Graduate
  • Kurthead+1
  • Posts: 131

Post 3+ Months Ago

This is going to be a pretty broad question, expecting broad answers. I basically just want some obvious do's and dont's with PHP security.
On the more specific side, dealing with:
sessions;get/post;sql;file uploads;chats;

Just basic stuff anyone has picked up along the way. I know people on this site hate the lack of specificity; I'm just looking for a collective crash course on security basics, to help me discover any tips I might've missed. Or just large things to avoid when coding for security. Thanks guys.
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9091
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

My biggest suggestion is to never trust users submitting input. If any of your scripts depend on a user entering any sort of information in that you will process with a script, assume that any information entered is tainted. If any of this information is to be stored in a database, make sure that the input is also escaped.

As far as a collection of all the basics, I would suggest finding a book dedicated to the subject.
  • Kurthead+1
  • Graduate
  • Graduate
  • Kurthead+1
  • Posts: 131

Post 3+ Months Ago

Ha, yeah a book would be helpful, but also any links people can think of. As far as this post goes, pretty much what I'm looking for are random tips like the one you just provided, which is helpful. Tips like yours aims me in the right direction of a more targeted research.
  • leonpot
  • Newbie
  • Newbie
  • leonpot
  • Posts: 8

Post 3+ Months Ago

Kurthead+1 wrote:
This is going to be a pretty broad question, expecting broad answers. I basically just want some obvious do's and dont's with PHP security.
On the more specific side, dealing with:
sessions;get/post;sql;file uploads;chats;

Just basic stuff anyone has picked up along the way. I know people on this site hate the lack of specificity; I'm just looking for a collective crash course on security basics, to help me discover any tips I might've missed. Or just large things to avoid when coding for security. Thanks guys.


One of the good methods is using error handling and the user input. Like bigwebmaster said, never thrust your user input. You should always check every update/input/upload script you got and restrict them to extensions.
  • rahulroy
  • Born
  • Born
  • rahulroy
  • Posts: 3

Post 3+ Months Ago

you dont trust user inputs
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

sessions
make sure no data retrieved from sessions is sensitive. If it is sensitive then encrypt it server side and decrypt it server side.

get
pretty safe until you start accepting url parameters, always sanitize data before executing anything against it. handle errors that might occur when processing unexpected values. Display non technical error messages

post
pretty much the same as get

sql
Sanitize any user provided values, ORMs are usually pretty good at dealing with this.

file uploads
do checks on extension and never execute and uploaded file directly.
Limit the types of files that can be uploaded to non-executable. People often forget that their server might just be a staging area for malicious code to get downloaded from ie: part of a set of urls that get checked for the executable to execute on a remote machine. Avoid allowing scripts as well.

chats
Never speak to strangers is all I got on this one.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8413
  • Loc: USA

Post 3+ Months Ago

SQL

Be aware of 1st order injection, 2nd order injection and lateral injection. 1st order injection is simple enough... when the user submits a form that is meant to be entered into the database (such as registration form) and enters a dangerous entry into the form that does terrible things to your database once it is processed by the server. Mostly due to the lack of validation/sanitation on the programmer's part.

Second order injection is when the user submits a dangerous query into the form to be processed... it is cleaned and sanitized and entered into the database. Nothing happens here because it is cleaned and sanitized... but once it is retrieved from the database (such as the username of someone who just registered) it does mess things up... either retrieve the wrong username and logs the user in as someone else (such as an admin) or something else.

Lateral injections are... well... I don't understand this kind of injection at all... researched it but can't understand it :lol:

http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev
  • Rabid Dog
  • Web Master
  • Web Master
  • User avatar
  • Posts: 3245
  • Loc: South Africa

Post 3+ Months Ago

Lateral injections appear to be pl/sql related

http://www.docs.oravn.com/tutorial/sqli ... ateral.htm
http://www.greensql.com/blog/2011/09/la ... -database/
  • nessuno
  • Newbie
  • Newbie
  • nessuno
  • Posts: 8

Post 3+ Months Ago

Never trust users inputs and ALWAYS use ORM or at least PHP-PDO.
The times of `mysql_real_escape_string` (or similar) are gone :D
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8413
  • Loc: USA

Post 3+ Months Ago

nessuno wrote:
Never trust users inputs and ALWAYS use ORM or at least PHP-PDO.
The times of `mysql_real_escape_string` (or similar) are gone :D

Be careful with PHP-PDO where the prepares are emulated (or have they updated that?). You would need to run the following code when initiating a connection to the server.
PHP Code: [ Select ]
$dbh->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);


Though real prepare/binding is secure and many web programmers (I read online) recommend their usage.

MySQLi on the other hand (similar to PDO) doesn't emulate by default so if you are to use MySQLi for prepare/binding, then you wouldn't need to worry about this.

Post Information

  • Total Posts in this topic: 10 posts
  • Users browsing this forum: No registered users and 82 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.