downloaded php scripts and security

derakht

having read about sql injection and cross site scripting i was wondering how to ensure that php scripts downloaded from the internet are coded to prevent such things. obviously if you know php a good bit you could just look in the code, but that's where i'm lost. if anyone could explain how to check for this i would appreciate it.

thanks

MarkR

It's extremely nontrivial. Even very widely studied applications can have things missed.

For new applications I'd say, ensure that:

It uses htmlspecialchars or similar for ALL output of nontrusted data - or a templating system like Smarty with a default modifier which does this automatically
It uses prepared queries such as with PEAR:😃B or PDO exclusively, never putting user data (directly) into SQL at all.

And these two measures will protect you from many types of attack, but not all.

Logic bugs in the authentication and authorisation code may remain- these are extremely difficult to detect if you don't know how it works and it isn't well (or correctly) comment.

Applications which output user-supplied HTML with some sanitisation are extremely difficult to validate, because it's not clear how HTML has to be modified to make it "safe" from XSS injection attacks.

Different browsers parse badly-formed HTML differently and there exist tricks which may enable some HTML to slip through the net and still be executed by a browser. I do not know how to safely do this, it is a subject of much research.

Mark

MarkR

Applications such as Wordpress, PHPBB etc, which use ad-hoc escaping of user data in queries as their sole method of protection, have so many possible exploit points that it's virtually impossible to check them all.

I know of no automated too which does a half-decent job either.

Mark

derakht

Wow, I wasn't expecting a response like this. I really expected a higher sense of security with php, but obviously my knowledge of the subject is limited..

I suppose I will just make constant backups..