By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
454,717 Members | 1,413 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 454,717 IT Pros & Developers. It's quick & easy.

Looking for PHP security tips

P: n/a
Hi everybody,

I am currently developing my first commercial (customer specific) PHP
application. This application is in fact nothing else than a content
management system with internal accounting capabilities for a small
business, based on MySQL. So in fact there is nothing extraordinary
about it.

My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern. I
have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.

Users will be able to log in to the system, book events and so on.
This will be done by session variables.

Are there any well known and common mistakes, things that usually are
not thought about? Any security related things that I should
definitely not do? I know there is good literature out there about
this topic and I have consulted some PHP books and websites. But no
book can substitute an expert's experience.

Any piece of advice is gladly appreciated!
Thanks!
Karl

Feb 3 '07 #1
Share this Question
Share on Google+
3 Replies


P: n/a
Are there any well known and common mistakes, things that usually are
not thought about? Any security related things that I should
definitely not do? I know there is good literature out there about
this topic and I have consulted some PHP books and websites. But no
book can substitute an expert's experience.

Any piece of advice is gladly appreciated!
Thanks!
Karl
First off is a bit of role=playing to make you more aware of potential
problems. Just second guess ANYTHING that is coming in from outside
your application, whether ity is GET, POST and how you handle it.

If you use referencing to web locations based GET and POST, those
could be used to divert content or your customers to bad places.

If you display GET POST data embedded PHP scripts could make your app
do things you don't want it to.

If you store GET POST data to a database, it could be maligned to
contain cammands to do thing to/with your database you did not expect.

Even if the data does not contain some obvious exploit, what if it is
bad (too big, small, ?) or of the wrong type verify for potential
problems there. (userrs doing some email shenanigans is another
factor too)

Modules that are added by include() or refernced by others sould be
examined to make sure they are not activated by unknown scripts
outside of youre web site.

Now if you share a web server you may also have the problem of bad
neighbors on the same server attempting to check out your session
data.

Transmitting sensitive data is another issue, if you are doing
anything with SSNs, credit cards, or other sensitive data use an SSL.

If you google for PHP security you can find lots of articles, read
many some offer better tips then otyhers.

Feb 3 '07 #2

P: n/a
On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.netwrote:
<snip>
My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern.
Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.
>I have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.
Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Feb 4 '07 #3

P: n/a
[My previous reply is messed up; please ignore that]

On Feb 3, 9:38 pm, "Karl Nierler" <mr_mil...@gmx.netwrote:
<snip>
My customers are worried abour security in PHP. I have written many
small PHP applications before where security wasn't a major concern.
Some customers may not be willing to spend $ and so they may prefer
shared host.

Shared host are viable to session related attacks if default file
based session is used--so you may want to add db based session
handler.
I have always checked user input and posted variables and used
mysql_real_escape_string() or intval() to prevent SQL-injection and
htmlentities() to prevent CSS.
<snip>

mysql_real_escape_string() is no more secure; use prepared statements
<http://ilia.ws/archives/103-mysql_re...rsus-Prepared-
Statements.html>

Unlike XSS, new common attack is session riding--so you may have to
add secret tokens in every forms and Ajax based user info retrieval
(remember GMail's contact list attack)

--
<?php echo 'Just another PHP saint'; ?>
Email: rrjanbiah-at-Y!com Blog: http://rajeshanbiah.blogspot.com/

Feb 4 '07 #4

This discussion thread is closed

Replies have been disabled for this discussion.