need advice: how to secure my application

martincrumlish

Hi,

I have been working on some mainly internal projects (internal meaning company intranet) but some of these are soon to be deployed to a live web server. I am running PHP 4.0.6 at the moment with regsiter globals on. Also, my applications use forms.

What I need advice on is: what steps should i take to implement some sort of security setup on my applications?

Thanks,
Martin

PS: if reg globals is off can i pass values like this:

link.php?name=$value

cahva

PS: if reg globals is off can i pass values like this:

link.php?name=$value

Yes you can. Use $GET['name'] to retrieve the variable. And for forms using post, use $POST['variable']

If you use $GET,$POST,$_SESSION etc. then you are quite safe even when using register_globals on.

For security, allways retrieve mySQL passwords etc. from outside your public_html directory.

If you have some kind of login system, when saving passwords to mysql, use MD5 or similar encoding system so that they are a little harder to crack IF you get hacked...

Someone else can tell more 🙂

martincrumlish

so, would it be ok to do this at the start of each script?

$name = $_POST['name'];

and then just use $name throughout the script as i would normally do. Also, if i used $_POST etc and left reg globals on, how would this protect me from this scenario:

A visitor views my HTML source and see's a form textbox name. he then passes something this in the url:

link.php?name="DELET * FROM whatever

Is that a problem that could occur?

RedDragon

i have posted a fix here which makes it possible to use $name instead of $_post['name'] on all php versions,

about your question regarding the url var passing
to prevent a scenario as this you need to make sure the data has been submitted and not typed into the bar
so use
if(isset($submit)) {
//code
}

if($submit="Submit") {
//code
}

the submit buttons var cannot be processed by url

fitchn

As you mentioned, the first thing that you should do is turn registered globals off! This will probably require you to re-write many aspects of your scripts, but the level security gained will keep all but the most determined hackers out. As far as forms are concerned, it is a good idea to use POST whenever possible; this prevents the user from seeing the variables that you are using, and makes it that much harder for them to 'fake' a submission. There are also some other simple security messures that you can take, such as verifying that the form was indeed submitted, and that it was sent from the proper page.

If you are manually passing values from one page to another through the URL query syntax, it is a good idea to encrypt a part of the data, and send both the encrypted and un-encrypted versions; then in the next page, check that the two are equal. For instance, the url could look something like:

http://www.yoursite.com/page.php?name=fred&encname=[md5("fred")]

Then, in the next page, add the following code:

if (md5($get['name']) != $get['encname']) {
die ('Stop hacking my site!!!');
}

By doing this, any potential hackers must change two fields! (If you do this, it wouldn't be a bad idea to tack on some extra characters before you encrypt).

Of course, most of these issues could be avoided by employing one powerful concept: sessions! (check out: http://www.php.net/sessions)

Hope that helps!

Nick