Security for PHP Website, Your Opinions?

wmac

Hello,

I see some big security holes in most of simple programs witten by newbies (including my old applications).

Two of the most common problems:

1- Forms can be posted from hackers local computer (ie we do not test to see if form page is on our own website) in this way he may post something wrong.

For example assume we get and id number and put it directly in front of below query:

delete * from table where id=$id

Then hacker posts the value "id" instead of a number and deletes all rows!

Question: How do you prevent forms posted from a page other than your website?

2- Most of the forms on your website may be used to send queries to your SQL server.

Lets assume you get an id from your form and do above query again.

He is supposed to type 19 in the txt box and below query is constructed.

delete * from table where id=19

Now what if he types :

"19;delete * from table;"

Question: How do you avoid inserting critical things into your forms to affect your website?

Your opinions, advices and help is appereciated.

Regards,
Mac

xuguoxin

regex syntax can solve above problem

preg_match_all( '/^{\d+$/',$_GET[id],$match);}

if (0==count($match[0])) {//error}

laserlight

Obviously, you have to validate the data given to the script to prevent SQL injection.
is_numeric() might help, addslashes() might help, htmlspecialchars() or htmlentities() might help.
You might also use $POST if you expect it to come from a form via the POST method, or $GET if you expect it to come from the querystring, or $_COOKIE if it is supposed to be a cookie.
Obviously these arent foolproof, you have to test.
If you have performed adequate SQL injection prevention, making a form of his own wont help a programmer do anything more than submit the form the way you want it submitted.
You think what datatypes are expected, and test with all sorts of data and methods.

Weedpacket

Originally posted by wmac

Question: How do you prevent forms posted from a page other than your website?

Ultimately, you can't. The filled-out form data isn't coming from your website, it's coming (usually) from another browser on someone else's machine. That machine can say anything - and you can't control that. All you can do is be very paranoid and not believe anything you're told until you've checked and rechecked that it's genuine.

Here's a link to an earlier thread that provides a pointer to some work on this subject.