473,325 Members | 2,828 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

Good security methods?

Hey everyone.

I'm just finishing up writing a basic content management system,
standard stuff really, just pulling info out of a database and allowing
priveliged users to login and post it. I wanted to know: what security
tips can you guys give me for improving it? I've read somewhere that
when using stuff like $_GET['id'] to display a specific row, it's
useful to add code to protect it from sql injections and such? I'm
obviously md5 encrypting passwords and using cookies/sessions to store
user logins. In terms of input validation I'm a little sparse - are
there any that I really need to implement? Bear in mind that only
trusted and approved staff can access submission forms in the first
place.

Finally, are there any drawbacks to using mod_rewrite to change urls
from foo.php?=bar into /foo/bar/ ? Obviously these look better and are
apparently more friendly to search engines, but can it have negative
effects on server load etc?

Thanks very much everyone, this group has really helped me with this
project so far.

Matt

Aug 11 '05 #1
6 1800
gu************@gmail.com wrote:
: Hey everyone.

: I'm just finishing up writing a basic content management system,
: standard stuff really, just pulling info out of a database and allowing
: priveliged users to login and post it. I wanted to know: what security
: tips can you guys give me for improving it? I've read somewhere that
: when using stuff like $_GET['id'] to display a specific row, it's
: useful to add code to protect it from sql injections and such?

Yse, and its so easy to do there is no excuse not to do it. It does not
just avoid "sql injection", it also protects you against unexpected input,
or just plain honest typos.

At the top of most of my php scripts you will see lines such as

$id = mysql_escape_string($_REQUEST[id]);

I know I am only using that variable (id) in mysql queries. If I was
using it for other things then I might escape it differently, or at a
different location in my code such as just before I used it, but right at
the top is easiest, and it helps document the parameters being accepted.

If I used the variable in two ways, and don't change it later then I might
create two pre-escaped copies at the top of my code.

$Qid = mysql_escape_string($_REQUEST[id]) # this eg tested
$Hid = htmlspecialchars($_REQUEST[id]); # this eg not tested
or if you don't like having the multiple copies pre-escaped ready for
use then do that just before you use them

$Qid = mysql_escape_string($id_parameter);
$sql = "select * from T where id = '$Qid';

On the topic, I often find it useful to provide two copies of sql, one to
use and one to display

# bogus queries, just for e.g.

$sql = "select * from T where password = '$Qpassword'";
$SQL = "select * from T where password = '**********'";

# note:
# use $sql in query
# use $SQL in messages
--

This space not for rent.
Aug 11 '05 #2
JDS
On Thu, 11 Aug 2005 13:22:03 -0700, guitarromantic wrote:
Finally, are there any drawbacks to using mod_rewrite to change urls
from foo.php?=bar into /foo/bar/ ? Obviously these look better and are
apparently more friendly to search engines, but can it have negative
effects on server load etc?


I use mod_rewrite extensively on my "main"[1] website. I mean
*extensively*! I find (when everything is working properly on the server,
but that's another story[2]) that mod_rewrite does not appear to adversly
affect performance. For all the shit I have going on[3] to create a single
page, it is a wonder that, even at peak load times, the server can still
spit out a page in under a quarter second.

later...

[1] http://engineering.jhu.edu

[2] I had a series of serious serious SERIOUS performance issue events
from March through July of this year. I could not figure out what the
fsck was going on. Finally I updated all the software on the server
(Linux/OS stuff plus Apache and MySQL) and presto! no more server issues.
Wow! Why didn't I update sooner??? (Beacause I am overworked and underpaid?)

[3] mod_rewrite rewrites the URL -- *every* URL -> send to PHP
paginatorizer, go to MySQL database to get meta information, get pae
contents from a file, PHP sews it all together, sptis out an HTML page.
Pretty normal stuff, really, when you are talking about a dynamic
server-side web system, (say, ASP+IIS+MSQL or JSP+Apache+Oracle or
whatever), but still, it is a wonder that all this stuff works so well and
so fast.

--
JDS | je*****@go.away.com
| http://www.newtnotes.com
DJMBS | http://newtnotes.com/doctor-jeff-master-brainsurgeon/

Aug 12 '05 #3
I like to write some functions to get request data rather than
accessing $_GET and $_POST directly. That way, if you decide to change
how you escape things, you can change it in one place without having to
go through your code. You might have something like this:

function getRequestVar($name) {
if(!isset($_REQUEST[$name]))
return null;
return htmlspecialchars($_REQUEST[$name]);
}

Additionally, I also have functions to prepare data before putting it
into a query. For example, you might have prepNumber, prepText, etc.
that escape any necessary characters, enclose text in quotes, etc. as
well as validate that, for instance, a number is indeed a number.
Again, if you decide to switch to a different database system, you can
just modify these functions to escape things differently without having
to look through all your code.

Aug 12 '05 #4
gu************@gmail.com wrote:
Bear in mind that only
trusted and approved staff can access submission forms in the first
place.

That doesn't matter, a malevolent visitor could emulate your forms.
You should check whether the user is actually logged in before making
any changes to the database, as well as before displaying sensitive
information. After all, it's only an extra if statement here and there.

Aug 12 '05 #5
Good security methods depend on understanding
(a) What you're protecting
(b) The threat
/then/ you can judge which tools to use.

(A really excellent general book on this subject is
Security Engineering by Ross Anderson. Pub. Wiley)
Here are two bad things:
1 : customer number 45 looks at customer number 46's data
2 : customer 45 bookmarks or has sent to them a URL in an email or
passes a URL to somebody else which can be used out of the intended
context. (Eg an email: "this is your order reference number to view
progress click go to http:....?orderref=12345")

These are slightly different things.

If the only 'way in' to our web site is via URL line (ie not using
cookies) then this means any hacker will have to fiddle with the URL
request. So bad thing 1 can now be re-cast as "How can we make it
difficult for a hacker to misuse the command line to make false
requests" and bad thing 2 can be re-cast as "how can we detect and
manage the context of URL requests".

Are random numbers (difficult to guess) for customer IDs enough?
No. A page might list say employees with a link for details:
<a href="publicdetails.php?empno=1423527365">Fred Smith</a>
<a href="publicdetails.php?empno=5276928065">Sally Jones</a>
So we MUST at the /very least/ disguise the numbers so they can't be
re-used in privatedetails.php. (You will understand that in a situation
where people can look at their own record they may be able to change the
URL to one of the other numbers quite legitimately used for public
purposes.)

A /simple/ way is to have a _reversible_ obfuscation function which
obfuscates differently according to (say) the page on which it is used.
This can be used to prevent casual hacking but is more security by
obscurity than proper lock-outs. (But you can detect experimental
efforts to fiddle as when the de-obfuscation fails to produce a valid
result you can be alerted to some fiddling. This might be acceptable in
a closed user community context.)

A more robust and more complex[1] method is to generate a big random
number every time you want a URL response and use that as a key to the
real response kept in a database or session.

The HTML looks the same
<a href="publicdetails.php?resp=1423527365">Fred Smith</a>
but now you have done (simplifying) something like
$responsearray['1423527365']='empno=66&action=payrise';

What you can do with this depends firstly on the persistence of
$responsearray and secondly on the persistence of each record. For
example here are some things you can do if you're passing URLs in emails
* expire after a given time
* class the user as 'logged in' or take them to their own login with
user name and other details already present just waiting for password
* if one response from a multiple choice email (eg click on this link to
confirm or this one to cancel) then not only remove the one chosen but
also its sibling.

Of course in the above I've only covered one aspect of user input issues
and even then only at a top level but I hope it gives you something to
think about.

[1] It was tricky to write a class to do the job in detail but of
course those details are hidden in normal use. I could share it if
people are interested but (because I've never actually used it in anger,
and because it is tailored to my ways of working) it would be 100%
unsupported and not much use to those that want instant gratification.

--
PETER FOX Not the same since the deckchair business folded
pe******@eminent.demon.co.uk.not.this.bit.no.html
2 Tees Close, Witham, Essex.
Gravity beer in Essex <http://www.eminent.demon.co.uk>
Aug 12 '05 #6
On 2005-08-11, gu************@gmail.com <gu************@gmail.com> wrote:
In terms of input validation I'm a little sparse - are
there any that I really need to implement? Bear in mind that only
trusted and approved staff can access submission forms in the first
place.


Might want to read http://phpsec.org/projects/guide/
--
Met vriendelijke groeten,
Tim Van Wassenhove <http://timvw.madoka.be>
Aug 16 '05 #7

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

36
by: toedipper | last post by:
Hello, I am designing a table of vehicle types, nothing special, just a list of unique vehicle types such as truck, lorry, bike, motor bike, plane, tractor etc etc For the table design I am...
4
by: David | last post by:
I am trying to use COM+ security in a C# class by applying the ComponentAccessControl attribute to the class, along with SecurityRole attributes for any roles that I want to have access to the...
0
by: ChrisB | last post by:
Hello: I am a member of a team creating a .NET application, and we seem to have run into an issue when trying to implement role based security. Our application makes use of a fairly common...
116
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data...
5
by: Susan Bricker | last post by:
Greetings. I just discovered the 'Compact on Close' option in Access-Tools-Options-General Tab. It certainly sounds like a smart idea to me. But before I turn that option on I thought I'd check...
3
by: Sai Kit Tong | last post by:
I posted for help on legacy code interface 2 days ago. Probably I didn't make it clear in my original mail. I got a couple of answers but none of them address my issues directly (See attached...
7
by: Mario | last post by:
I've been reading some Sun Java articles where they say Applets cannot import dlls and cannot write to disk. (This does NOT apply to applications, only to Applets.) Supposedly, this is NOT...
2
by: PK | last post by:
Hi All, I will be writing an asp.net application which require users to log on before they can view the particular information. so here the security control is needed and a must for different...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: CloudSolutions | last post by:
Introduction: For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.