Newbie looking for security addvise

JLerster

I have been playing around with PHP for a few months now, but one thing that I havent learned much about is security. I'm half way through a shoping cart now (my first app I have made totaly myself) and I havent got a clue how to keep it safe. I just code for fun at this time, so I'm not in a rush. Any one have any good addvise? maybe some links? I have already looked at Zend, PHPBuilder, hotscripts, devshed, webmonkey and fresh meat. Are there any goldmines out there that Im over looking?
Thanks.

Mordecai

Well, make sure register_globals is off. That way, people can't just set variables themselves and override those in your script.

As for other security sites, I haven't come across many. Check this out: http://php.resourceindex.com/Documentation/Security/

mcgruff

Take a good look at the mysql permissions system if you store CC numbers in a mysql database.

You may want to create different db users for admin and ordinary shoppers, each with different privileges - and a separate db connection script for each. Keep these in an .htaccess "deny from all" protected folder and include where necessary in your scripts.

In php code, a basic rule is ALWAYS htmlspecialchars(addslashes(trim))) any user input such as POST vars. Type casting can also be used on integer values.

Field values in mysql queries should always be enclosed in single quotes ie SELECT * FROM table WHERE column='$value'

Make sure you understand issues such as query string tampering and value substitution.

matt_4013

McGruff has outlined it pretty well actually. There's not a lot more you can do on the application layer with php. In fact, there's not really a lot more you can do in the application layer with ANYTHING.

If you're doing anything with CC numbers or personal details, I would definately recommend using SSL, to be as sure as you can that nobody is watching what you're transmitting.

mcgruff

Rgr I forgot to mention SSL for uploading & downloading CC numbers. Duh! <😉

JLerster

Thanks, I guess I thought there was more to it then there really is. Would nl2br( ) work good in place of trim( )? I was thinking of somthing like this.

$string = "McGruff has outlined it pretty well actually. There's not a lot more you can do on the application \n"
         ."layer with php.\n";
// using htmlspecialchars(addslashes()) sripts it of malicious code(hopefully),
// but leaves the \n new line intact. 
$string = htmlspecialchars(addslashes($string));
// nl2br() is used separately to keep htmlspecialchars from removing
// the <br/> break
$string = nl2br($string);

This way content can be a little more formated then just plain text because of the line breaks . Could this cause problems?

matt_4013

nl2br() is used when you're outputting the string. The others are used when you're inputting. For example:

/* The user has been given a post method form with the elements "subject" (textbox), "body"(textarea), and "submit"(submit). The form handler is below. */

/* This cleans up the users input, to be put into a database, run on command line, sent to a mail server, etc. */

$clean = array();
foreach($_POST as $k=>$v) {

// You don't need htmlspecialchars here, because it html characters are fine in a db, they will still be escaped by addslashes
$clean[$k] = addslashes(trim($v));
}

// This is great to input into a database, but you want to display it, yet keep some html formatting!

$sql = "SELECT subject, body FROM forum WHERE foo='bar'";
$result = mysql_query($sql, $db);
$data = mysql_fetch_assoc($result);

/* This will convert the newlines to breaks, so they will display
properly, and fix up the html so that it is displayed rather than
parsed by the browser. */

echo nl2br(htmlspecialchars($data['subject']));

JLerster

I see, thanks. And also thanks for showing me how to clean up an array 😃

matt_4013

Just be careful with addslashes, because if magic_quotes_gpc is set then it will escape twice. That sucks 😉

I use this to clean stuff up before I run it through a database:

	function clean_input($needle) {

	/*
	Date Created:	09/04/2003
	Last Updated:	10/04/2003

	This function is used to clean up user input before it goes near a
	database. This is to prevent malicious users from escaping the SQL and
	crafting sql injections, allowing access to things they aren't supposed
	to have access to. It will accept any kind of input. Should be used as
	follows:

	$clean = clean_input($dirty);
	mysql_query("SELECT * FROM foo WHERE bar='$clean'");

	If you don't do this, a user can enter (e.g.) a password like "pw' OR 1=1--". 
	As such, this query will ALWAYS return a result. 

	*/

	if(is_array($needle)) {

		$haystack = array();

		foreach($needle as $k=>$v) {

			$haystack[$k] = (!get_magic_quotes_gpc()) ? mysql_escape_string($v) : $v;
			$haystack[$k] = trim($haystack[$k]);
		}
	} else {
		$haystack = (!get_magic_quotes_gpc()) ? mysql_escape_string($needle) : $needle;
		$haystack = trim($haystack);
	}

	return $haystack;
}

EDIT

The extreme commenting is my boss' fault, he likes to know exactly what's going on in the applications we write, so we keep him amused 😉

/EDIT

mcgruff

One minor point about htmlspecialchars() on the way OUT rather than on the way in: it's possibly more efficient to do it on the way in since that saves some processing time when visitors browse your website.

Of course, you lose it at the other end but then the data is only input once and then viewed many thousands of times (hopefully!).

This comment is more to illustrate a principle rather than anything else. Stripping out nasties on the way in rather than on the way out is unlikely to make a lot of difference to most page load times but it's good to think about efficent coding. A little bit here and a little bit there just might add up to a lot..

While I'm in efficient coding rant mode, creating a whole extra $clean array (above) can be avoided by just writing addslashes(trim($POST['var'])) where you need them - or even htmlspecialchars(addslashes(trim($POST['var']))) 🙂

Or, if you are expecting an integer value: intval($_POST['var']) is all you need - form forgers who try to submit strings to that POST key won't have any joy.