PHP Security

rj***********@g mail.com wrote:

I am developing an online application and the last thing I need to get
a handle on is security.
Not that I'm an expert, but you have this backwards. Security should be
the FIRST, not last, thing you thing about.

Your application's security is already doomed to be on the defensive: it's
**much** harder to plug holes than it is to bulid walls. The only way to
correct this is to re-write the whole thing from scratch.

This is a truism: it's true of any language, not just PHP.

This app is very heavy with forms. Business critical data will be
entered via forms and inserted in to a database (mysql).

I've google "php security" and from what I've read, I should:

1) Filter all form data by stripping all non-alpha/numeric characters
out,

2) Have the database on a different server,

3) Use "POST" not "GET",

4) Turn global variables off.

5) Use sessions for logins

Should this do it? Or do I need more precautions?
Oh, god yes.

You need to validate any user input that's destined to the DB for starters.
That alone, when done well, should make your timecard shake in its shoes.

How solid is your application against changes in the database? Do you check
the return of every query? There's *hundreds* of precautions you can take.

Any web scripting language is convenient (although some are more convenient
than others). But they give you a LOT of rope to hang yourself with.
Even with all this can I still get hacked?

Bob, no offense, but it sounds like you really need to learn a lot more about
PHP *and* security in general if you want to write applications that claim to
be secure. No question is a bad question, but some questions signal that the
asker needs to go back to the books.

Yes. Absolutely, you can get hacked. Even if you do everything correct, and
it sounds like you already have an insecure application on your hands, you
can get hacked.

Hackers can be *very* smart folk.

Security is the last thing I need to get a handle on BEFORE I start.

I have not started yet, and I won't until I am confident the app is
reasonably secure and that I have tried and true methods to recover
after I am hacked.

I won't do this if I can't, I will be handling crictical busines data.

I understand it's a never ending battle, and that no app will ever be
100% secure, and that I will have to monitor it constantly.

But having said that, I have to take reasonable measures, waiting for
perfection is not well, reasonable. Question is what is reasonable?

From the research I've done, mostly via google, the steps I have

outlined appear to be the least that should be done.

To that I will add validation of user input and checking the results on
queries.
(I always check the results on queries, I just didn't mention it).

Without about getting in to specifics there is not much validation of
user input I can do besides stripping out special characters, I won't
be saving zip codes or phone numbers or email address or data that is
highly characterisable .

The books I have seen on the subject appear lacking. Any suggestions
on books?

rj***********@g mail.com wrote:

Security is the last thing I need to get a handle on BEFORE I start.

I have not started yet, and I won't until I am confident the app is
reasonably secure and that I have tried and true methods to recover
after I am hacked.
Ahh, then I apologize. I was under the impression that you had already
written a mission critical app and then wanted to tack on security. Sorry
for the misunderstandin g!

I'm sure you can see why I was horrified. ;*)
Without about getting in to specifics there is not much validation of
user input I can do besides stripping out special characters, I won't
be saving zip codes or phone numbers or email address or data that is
highly characterisable .

The books I have seen on the subject appear lacking. Any suggestions
on books?

Everything I know about PHP security and defensive programming I brought with
me from other languages, lurking in this newsgroup, spending a lot of time
reading other peoples' code. I find pouring through well written code,
especially when the programmer is gracious enough to reply to email, is the
best teacher. I'm self taught, unfortunately.

However, there seems to be books a few books specifically on PHP security:

http://www.nerdbooks.com/search.php?...%20security%5D

It's hard to go wrong with ORA, but they've been slipping in quality lately.
I think all that Microsoft technology is rotting their brain. Nevertheless,
the book is published 2005 which is encouraging.

I've thumbed through the "best practices" chapter in the Wiley book. Seems
like a lot of obvious suggestions (like making a big deal about things like
"naming variables correctly".) The little bit I read was well written, but
the book was published 2003

Good luck with your app. I find that input validation requires a lot of
thought. Some people are fast at it. Being excellent at composing regexes
will certainly help!

Pete

rj***********@g mail.com wrote:

I am developing an online application and the last thing I need to get
a handle on is security.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in to a database (mysql).

I've google "php security" and from what I've read, I should:

1) Filter all form data by stripping all non-alpha/numeric characters
out,

2) Have the database on a different server,

3) Use "POST" not "GET",

4) Turn global variables off.

5) Use sessions for logins

Should this do it? Or do I need more precautions?
Even with all this can I still get hacked?

You should be filtering all input from external sources: user input,
from databases, etc.

You should escape all output before sending it: echo or print
statements, sql queries, etc.

You should be practicing defense in depth which means you have redundant
safegards in place just in case something gets through.

I'd suggest reading "Essential PHP Security" by Chris Shiflett (O'Reilly
ISBN 0-596-00656-X) as well as reading articles on his blog
(shiflett.org) and probably read through the articles on the PHP
Security consortium website (phpsec.org)

If you're application is already written, you have a large job ahead of
you. My suggestion is to do some reading as outlined above and start the
application from scratch. It's really the best way - and in many cases
the least time-consuming way as well.

--
Justin Koivisto, ZCE - ju****@koivi.co m
http://koivi.com

Following on from 's message. . .

rj***********@ gmail.com wrote:

I am developing an online application and the last thing I need to get
a handle on is security.

Not that I'm an expert, but you have this backwards. Security should be
the FIRST, not last, thing you thing about.

OK so "If I was you I wouldn't start from here!" is the correct answer
but not all that helpful.

Get the following security issues clear
- Threat
- Protection
- Detection
- Damage limitation
for all the system components
- Physical environment
- OS
- Apache(etc)
- PHP
- SQL - general
- mySql - particular
- other tools

Nobody (except perhaps GLB) knows all the answers. Each component has
spawned many books, articles, much mis-information and confusion.

As far as PHP and mySql are concerned you are looking at the right sort
of thing but need to review how a click on a submit gets to a database
update in the light of common attack modes for SQL and all the possible
ways you can think of of subverting your program logic (Obviously
userid=44 is an open invitation to try userid=45) When you've done it
get somebody else to review it. Your list of items is step 1 out of 5.

You can keep your data on the same machine as the scripts. You need to
understand your OS and Apache security configuration. For many
situations this is simple enough.

Beware when sharing a host.

As I understand it, the really really difficult bit is keeping the
access password to the database secure. There are some articles on the
web about that issue and when you understand those you should have
covered a lot of muddy ground.

--
PETER FOX Not the same since the borehole business dried up
pe******@eminen t.demon.co.uk.n ot.this.bit.no. html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.dem on.co.uk>

In article <11************ **********@g44g 2000cwa.googleg roups.com>,
rj***********@g mail.com says...

I am developing an online application and the last thing I need to get
a handle on is security.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in to a database (mysql).

I've google "php security" and from what I've read, I should:

1) Filter all form data by stripping all non-alpha/numeric characters
out,

2) Have the database on a different server,

3) Use "POST" not "GET",

4) Turn global variables off.

5) Use sessions for logins

Should this do it? Or do I need more precautions?
Even with all this can I still get hacked?

Thanks

bob

Some folks use a web form to have it email them results a visitor submitted.
Always check all the fields being submitted for tricks lie "\nBcc: the world" in
case some one tries to hijack your web page as a vehicle for spam. My two cents.

Marty
--
Basic Newsguy - 3 GB / month - $39.95 / year
http://newsguy.com/overview.htm

rj***********@g mail.com wrote:
: I am developing an online application and the last thing I need to get
: a handle on is security.
: This app is very heavy with forms. Business critical data will be
: entered via forms and inserted in to a database (mysql).

: I've google "php security" and from what I've read, I should:

: 1) Filter all form data by stripping all non-alpha/numeric characters
: out,

Not exactly. You should "validate" every input. That means confirm it
has the data you expect it to have.

You should also make sure the data is correctly "escaped" before being
used. The correct way to do that depends on the situation. Before you
use any input in an SQL query then that database's string escape routine
should be used. Before using the data in an html page then a mysql html
escape function should be used. I mentioned SQL - if possible use bind
variables so the data is not used directly in the query at all (then you
don't have to escape it - the database software does it all for you).

: 2) Have the database on a different server,

It also means that the database is accessible via the network, which may
itself be a security risk itself if you're that concerned about security.

But probably a good idea.

: 3) Use "POST" not "GET",

Things like passwords should be POSTed, so yes.

: 4) Turn global variables off.

Yes.

: 5) Use sessions for logins

Sure.
And what about 6) HTTPS ?
: Should this do it? Or do I need more precautions?
: Even with all this can I still get hacked?

Doing the above is a good idea, but only careful coding and review of all
the things involved in the application can prevent being hacked.
--

This programmer available for rent.

In article <Tf************ ********@onvoy. com>,
Justin Koivisto <ju****@koivi.c om> wrote:

rj***********@g mail.com wrote:

I am developing an online application and the last thing I need to get
a handle on is security.
This app is very heavy with forms. Business critical data will be
entered via forms and inserted in to a database (mysql).

I've google "php security" and from what I've read, I should:

1) Filter all form data by stripping all non-alpha/numeric characters
out,

2) Have the database on a different server,

3) Use "POST" not "GET",

4) Turn global variables off.

5) Use sessions for logins

Should this do it? Or do I need more precautions?
Even with all this can I still get hacked?

You should be filtering all input from external sources: user input,
from databases, etc.

You should escape all output before sending it: echo or print
statements, sql queries, etc.

You should be practicing defense in depth which means you have redundant
safegards in place just in case something gets through.

I'd suggest reading "Essential PHP Security" by Chris Shiflett (O'Reilly
ISBN 0-596-00656-X) as well as reading articles on his blog
(shiflett.org) and probably read through the articles on the PHP
Security consortium website (phpsec.org)

If you're application is already written, you have a large job ahead of
you. My suggestion is to do some reading as outlined above and start the
application from scratch. It's really the best way - and in many cases
the least time-consuming way as well.

Great. He wrote a book. I was going to recommend Chris's web site:

http://shiflett.org/articles

There are articles on each of the items the OP mentioned and full
discussions. If this is a sample of his writing and breadth of
knowledge, I think I'll toddle down to B&N and get his book...

--
DeeDee, don't press that button! DeeDee! NO! Dee...

Michael Vilain wrote:

In article <Tf************ ********@onvoy. com>,
Justin Koivisto <ju****@koivi.c om> wrote:

I'd suggest reading "Essential PHP Security" by Chris Shiflett (O'Reilly
ISBN 0-596-00656-X) as well as reading articles on his blog
(shiflett.org ) and probably read through the articles on the PHP
Security consortium website (phpsec.org)

Great. He wrote a book. I was going to recommend Chris's web site:

http://shiflett.org/articles

There are articles on each of the items the OP mentioned and full
discussions. If this is a sample of his writing and breadth of
knowledge, I think I'll toddle down to B&N and get his book...

I'm half way through it now, and so far I like how it's written. To the
point and no clutter or fluff.

--
Justin Koivisto, ZCE - ju****@koivi.co m
http://koivi.com