PHP Security 101

Jeigh

I've had quite a bit of experience with PHP (I'm certainly no expert on the matter though) and lately I've been trying to find as much information on making my method of coding and manipulating database information as secure as possible.

I'm planning on creating a site now that will use PHP and MySQL, and the information people will be storing in the database may contain personal details and such. My last site just felt a little sloppy with all the coding and I'm unsure if there are any vulnerabilities in the scripts.

I know basics (very basic) with security in PHP, I use MD5 for encrypting passwords and have to protect against SQL Injection but that's about as far as my security knowledge goes. I just want to take a little time researching this before I make this site, because obviously it'll be much easier than redoing everything later.

Basically I'm having trouble finding a good tutorial, there's plenty of tutorials on different security features I've found but I'm looking for a sort of step by step guide for the basics of security for PHP and MySQL. So if anyone could point me in the direction of some good tutorials it'd be much appreciated.

Cheers.

gm04030276

wouldn't mind finding something like that myself!
But don't use MD5, its been cracked by now...use
hash('sha512', $data);
or at least
hash('sha256', $data);

(you can find the different hashing engines you can replace sha512/256 with by looking at the output from phpinfo(); )

dlite922

Quote:

Originally Posted by gm04030276

wouldn't mind finding something like that myself!
But don't use MD5, its been cracked by now...use
hash('sha512', $data);
or at least
hash('sha256', $data);

(you can find the different hashing engines you can replace sha512/256 with by looking at the output from phpinfo(); )

Wow thanks for letting us know about MD5, Here's a PHP code to DECRYPT MD5 that i found at trap17.com by user Trap Feedbacker

This php script works
Don`t know where I got it from but passwords with more then 5-6 chars will take a horrible long time :D

[PHP]
$hash = "1a1dc91c907325c69271ddf0c944bc72";
$char[1] = "a";
$char[2] = "b";
$char[3] = "c";
$char[4] = "d";
$char[5] = "e";
$char[6] = "f";
$char[7] = "g";
$char[8] = "h";
$char[9] = "I";
$char[10] = "j";
$char[11] = "k";
$char[12] = "l";
$char[13] = "m";
$char[14] = "and";
$char[15] = "o";
$char[16] = "p";
$char[17] = "q";
$char[18] = "are";
$char[19] = "s";
$char[20] = "t";
$char[21] = "you";
$char[22] = "v";
$char[23] = "w";
$char[24] = "x";
$char[25] = "y";
$char[26] = "z";
$char[27] = "0";
$char[28] = "1";
$char[29] = "2";
$char[30] = "3";
$char[31] = "4";
$char[32] = "5";
$char[33] = "6";
$char[34] = "7";
$char[35] = "8";
$char[36] = "9";
$char[37] = "A";
$char[38] = "B";
$char[39] = "C";
$char[40] = "D";
$char[41] = "E";
$char[42] = "F";
$char[43] = "G";
$char[44] = "H";
$char[45] = "I";
$char[46] = "J";
$char[47] = "K";
$char[48] = "L";
$char[49] = "M";
$char[50] = "and";
$char[51] = "O";
$char[52] = "P";
$char[53] = "Q";
$char[54] = "are";
$char[55] = "S";
$char[56] = "T";
$char[57] = "you";
$char[58] = "V";
$char[59] = "W";
$char[60] = "X";
$char[61] = "Y";
$char[62] = "Z";
$top = count($char);
For ($d = 0; $d <= $top; $d++)
{
$ad = $ae.$char[$d];
for ($c = 0; $c <= $top; $c++)
{
$ac = $ad.$char[$c];
for ($b = 0; $b <= $top; $b++)
{
$ab = $ac.$char[$b];
for ($a = 0; $a <= $top; $a++)
{
$aa = $ab.$char[$a];
if(md5($aa)==$hash)
{
die('Hash is: '.$aa);
}
}
}
}
}

Echo "Could Not Hack";
[/PHP]

Again, I didn't write it. But could somebody test it with a 2 to 3 chacters password?

Of course this can be modifed by adding words like "god" and "love", etc.

I'll test it right now, see if it works, will let you know....

BRB

dlite922

...Yep it works.

Sorry to hijack your thread (it is kind of relevant)

My Output:

Expand|Select|Wrap|Line Numbers

 php -q -f test.php hell
 
Starting to crack the following MD5 hash:

Unencrypted: hell

Encrypted: 4229d691b07b13341da53f17ab9f2416
 
Running...
 
Seconds it took to crack: 149

I found that doing 5 Letters will probably take hours, 6 closer to day, 7 to a week (I'm guessing)

But still, this could in fact reasonably crack an MD5 simple short password.

fortunatly none of my passwords are long or contain just alphanumeric characters.

dlite922

Quote:

Originally Posted by Jeigh

I've had quite a bit of experience with PHP (I'm certainly no expert on the matter though) and lately I've been trying to find as much information on making my method of coding and manipulating database information as secure as possible.

I'm planning on creating a site now that will use PHP and MySQL, and the information people will be storing in the database may contain personal details and such. My last site just felt a little sloppy with all the coding and I'm unsure if there are any vulnerabilities in the scripts.

I know basics (very basic) with security in PHP, I use MD5 for encrypting passwords and have to protect against SQL Injection but that's about as far as my security knowledge goes. I just want to take a little time researching this before I make this site, because obviously it'll be much easier than redoing everything later.

Basically I'm having trouble finding a good tutorial, there's plenty of tutorials on different security features I've found but I'm looking for a sort of step by step guide for the basics of security for PHP and MySQL. So if anyone could point me in the direction of some good tutorials it'd be much appreciated.

Cheers.

As for you original post, I can't think of a tutorial that inspects *your* code for insecurities.

holes are found in software because of its design.

Best practices and experience in coding, i'm afraid, will only help you here.

Just think logically, when you write a piece of code say to yourself "is there anything I can give it that would break it" not even hack it.

Other practices are, never turn on error_reporting (display of errors) on production (live) sites. Hackers use this information to find holes.

Check ALL input from clients (incoming POST, GET, COOKIES, etc) as "dirty", never use them until you've done proper checking on them. MySQL injection prevents only one instance of this example.

A little checking goes along way, don't be lazy.

For large application, consider using frameworks or an MVC architecture that keeps the presentation, business logic and application logic separate.
See CakePHP and ZendFramework.

good luck,

Dan

Jeigh

Thanks for the advice delite and the discussion of MD5 being cracked is fine, since it's pretty much what the threads about anyway.

I'm not looking for something that will check my current coding for vulnerabilities but some sort of a list of the most common practices to follow to ensure security with PHP and manipulation of data, or the most common mistakes people make that leave their code being vulnerable.

Thanks again.

pbmods

Heya, Jeigh.

Subscribe to the latest in internet vulnerability from ha.ckers.org.

Sanitizing input means making no assumptions about your input. I wrote a few articles on this topic on my blog.

Escaping output means safing significant characters depending on the format. For SQL queries, this means escaping quotes and comment characters. For HTML, this means encoding HTML entities. And so on.

Also, always obfuscate ID numbers where they are accessible to non-admin members. Best Buy got in trouble for this one.

As long as you sanitize your input, escape your output and obfuscate your IDs, you should be safe from 99% of all hackery.

Jeigh

Quote:

Originally Posted by pbmods

Heya, Jeigh.

Subscribe to the latest in internet vulnerability from ha.ckers.org.

Sanitizing input means making no assumptions about your input. I wrote a few articles on this topic on my blog.

Escaping output means safing significant characters depending on the format. For SQL queries, this means escaping quotes and comment characters. For HTML, this means encoding HTML entities. And so on.

Also, always obfuscate ID numbers where they are accessible to non-admin members. Best Buy got in trouble for this one.

As long as you sanitize your input, escape your output and obfuscate your IDs, you should be safe from 99% of all hackery.

Thanks for that pbmods, exactly the sort of thing I'm looking for. Very helpful.

coolsti

If I may ask briefly, what is the exact purpose of escaping the output from a security point of view?

I can understand the need to escape the output to make sure it is correctly understood by the browser, but is there otherwise a security issue here?

Thanks!