By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
438,521 Members | 1,492 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 438,521 IT Pros & Developers. It's quick & easy.

security threats in php

pradeepjain
100+
P: 563
Hii guys,
I want to know what are major security loop holes in php.


one major being the bad programming,,,



thanks,
Pradeep
Sep 16 '08 #1
Share this Question
Share on Google+
5 Replies


Markus
Expert 5K+
P: 6,050
Mysql Injection, Cookies, Sessions.

Not, of course, a problem with PHP, but a problem with the programmer.

If you the programmer know how to correctly program an application/webpage you need not worry about *loop holes*.

Kind regards.
Sep 16 '08 #2

Atli
Expert 5K+
P: 5,058
The biggest threat would probably be user input.
Always assume use input is meant to harm your server in some way and validate it accordingly.
That should take care of most threats.

Btw, I count Sessions, Cookies and stuff like the User Agent and Referrer variables as user input. Everything the browser provides can be manipulated by the user.
Sep 16 '08 #3

pbmods
Expert 5K+
P: 5,821
I coulda sworn we had another thread about this somewhere....

The rule of thumb when dealing with Users:
  1. Validate input.
  2. Escape output.

Validate Input

To achieve the former, follow three simple rules:
  1. Don't trust the User
  2. Don't trust the User
  3. Don't trust the User

There is a fourth rule (Don't trust the User), but I left it off to avoid redundancy.

What do I mean by that? In a nutshell: $_POST['itemid'] is not an integer, $_POST['email'] is a phone number, $_GET['username'] probably contains malicious SQL code.

Joel Spolsky explores using Hungarian notation to make unsafe User input obvious (http://www.joelonsoftware.com/articles/Wrong.html), but you can just as easily solve the problem by building good habits.

Never use superglobals in any of your code. Always clean them as soon as you get them:

Expand|Select|Wrap|Line Numbers
  1. $itemid = (int) $_POST['itemid'];
  2. $email = validate_email($_POST['email']);
  3. $username = mysqli_real_escape_string($_GET['username'], $conn);
  4.  
  5. /** UNSAFE */
  6. $query = "SELECT ... WHERE `Username` = '{$_GET['username']}' ...";
  7.  
  8. /** SAFE */
  9. $query = "SELECT ... WHERE `Username` = '{$username}' ...";
  10.  
SQL injection is perhaps the most spectacular vulnerability that can be exploited when a programmer fails to validate input, but you might also encounter oddness when, for example, processing payment data, sending requests to web services and other processes that involve sending or storing User input.

Escape Output

Always escape anything that gets output by your application. The majority of the time (escaping content for the User's web browser), you can achieve this using the built-in htmlentities() function (http://php.net/htmlentities).

Escaping output thwarts vile XSS attacks and prevents oddly-formatted User input from breaking your HTML.

Note that you won't always find yourself escaping data for HTML. When sending data to a web-service, be sure to XML-escape any tag values that you send (htmlentities() can handle this just fine).

If you are generating a CSV file, you need to escape commas, and so on.

Output escaping can also be used to improve the quality of your User experience. For example, when outputting a value that should be a phone number, run it through a function that formats it in (###) ###-#### format (watch out for international phone numbers!).
Sep 17 '08 #4

pradeepjain
100+
P: 563
I generally use
[PHP]<?php
function htmlspecialchars_array($arr = array()) {
$rs = array();
while(list($key,$val) = each($arr)) {
if(is_array($val)) {
$rs[$key] = htmlspecialchars_array($val);
}
else {
$rs[$key] = htmlspecialchars($val, ENT_QUOTES);
}
}
return $rs;
}
$array=htmlspecialchars_array($array);
?>
[/PHP]


before fetching data from database .And before inserting into database i use this script

[PHP]<?php
function sanitize($input){
if(is_array($input)){
foreach($input as $k=>$i){
$output[$k]=sanitize($i);
}
}
else{
if(get_magic_quotes_gpc()){
$input=stripslashes($input);
}
$output=mysql_real_escape_string($input);
}

return $output;
}
$_POST=sanitize($_POST);
?>[/PHP]


Is there any script to use ..So as to ensure secure data injection to database.


thanks,
pradeep
Sep 17 '08 #5

Markus
Expert 5K+
P: 6,050
I generally use
[PHP]<?php
function htmlspecialchars_array($arr = array()) {
$rs = array();
while(list($key,$val) = each($arr)) {
if(is_array($val)) {
$rs[$key] = htmlspecialchars_array($val);
}
else {
$rs[$key] = htmlspecialchars($val, ENT_QUOTES);
}
}
return $rs;
}
$array=htmlspecialchars_array($array);
?>
[/PHP]


before fetching data from database .And before inserting into database i use this script

[PHP]<?php
function sanitize($input){
if(is_array($input)){
foreach($input as $k=>$i){
$output[$k]=sanitize($i);
}
}
else{
if(get_magic_quotes_gpc()){
$input=stripslashes($input);
}
$output=mysql_real_escape_string($input);
}

return $output;
}
$_POST=sanitize($_POST);
?>[/PHP]


Is there any script to use ..So as to ensure secure data injection to database.


thanks,
pradeep
As long as you mysql_real_escape_string() your input you will be fine.
Sep 17 '08 #6

Post your reply

Sign in to post your reply or Sign up for a free account.