468,467 Members | 2,634 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 468,467 developers. It's quick & easy.

Looking for PHP security tips

Hi everybody,

I am currently developing my first commercial (customer specific) PHP
application. This application is in fact nothing else than a content
management system with internal accounting capabilities for a small
business, based on MySQL. So in fact there is nothing extraordinary
about it.

My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern. I
have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.

Users will be able to log in to the system, book events and so on.
This will be done by session variables.

Are there any well known and common mistakes, things that usually are
not thought about? Any security related things that I should
definitely not do? I know there is good literature out there about
this topic and I have consulted some PHP books and websites. But no
book can substitute an expert's experience.

Any piece of advice is gladly appreciated!
Thanks!
Karl

Feb 3 '07 #1
3 1306
Are there any well known and common mistakes, things that usually are
not thought about? Any security related things that I should
definitely not do? I know there is good literature out there about
this topic and I have consulted some PHP books and websites. But no
book can substitute an expert's experience.

Any piece of advice is gladly appreciated!
Thanks!
Karl
First off is a bit of role=playing to make you more aware of potential
problems. Just second guess ANYTHING that is coming in from outside
your application, whether ity is GET, POST and how you handle it.

If you use referencing to web locations based GET and POST, those
could be used to divert content or your customers to bad places.

If you display GET POST data embedded PHP scripts could make your app
do things you don't want it to.

If you store GET POST data to a database, it could be maligned to
contain cammands to do thing to/with your database you did not expect.

Even if the data does not contain some obvious exploit, what if it is
bad (too big, small, ?) or of the wrong type verify for potential
problems there. (userrs doing some email shenanigans is another
factor too)

Modules that are added by include() or refernced by others sould be
examined to make sure they are not activated by unknown scripts
outside of youre web site.

Now if you share a web server you may also have the problem of bad
neighbors on the same server attempting to check out your session
data.

Transmitting sensitive data is another issue, if you are doing
anything with SSNs, credit cards, or other sensitive data use an SSL.

If you google for PHP security you can find lots of articles, read
many some offer better tips then otyhers.

Feb 3 '07 #2
On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.netwrote:
<snip>
My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern.
Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.
>I have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.
Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Feb 4 '07 #3
[My previous reply is messed up; please ignore that]

On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.netwrote:
<snip>
My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern.
Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.
I have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.
<snip>

mysql_real_escape_string() is no more secure; use prepared statements
<http://ilia.ws/archives/103-mysql_re...rsus-Prepared-
Statements.html>

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Feb 4 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

2 posts views Thread by zzapper | last post: by
2 posts views Thread by Mark Lees | last post: by
4 posts views Thread by Ant | last post: by
1 post views Thread by rwd | last post: by
3 posts views Thread by Salad | last post: by
1 post views Thread by jackbenimble999 | last post: by
reply views Thread by NPC403 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.