N00b Best Security Practices?

JB_Smith

Hello,

I'm in the situation described in Newbie FAQ sticky; i.e. my scripts won't work. I've learned PHP/mySQL fairly well in the past, but most of it is lost in the back of my filing system and i'm starting over.

I'm working out of Kevin Yank's "Build Your Own Database Driven Website" (SitePoint) First Edition, which is like seven years old, but i have the new code samples downloaded from SitePoint, so i can see the more obvious changes like using $_GET() to retrieve variables, etc..

My problem is i seem to have run into a catch-22 where i don't want to write any scripts without understanding the security consequences, but most the advice makes no sense to me because i haven't read far enough yet to know how to implement it.

E.g. i found out this morning that $_SERVER['PHP_SELF'] is insecure if improperly implemented. The advice given in this case, "write a function for everything", doesn't compute because i don't even understand the functions given as examples.

Then there's all the ambiguously stated advice such as "escape all user input" or "Don't output unescaped input". Even the more specific advice such as given in the sticky i.e. "make sure you use strip_tags(); and use the htmlentities etc." isn't very helpful if i don't know how to use them, in what circumstances, or what is "etc.".

The article linked from the PHP_SELF example says, among other things, "only a fool would "echo $_GET['param'];"", and yet that's precisely what my reference material is telling me to do, even in the current (Third Edition) code samples.

For my immediate purposes, i'd just like to know:

1.) Is the example solution:
htmlentities($SERVER['PHP_SELF'])
...a direct replacement for $SERVER['PHP_SELF'], or if it might do something unexpected to my output and leave me wondering what's wrong.
and,
2.) I'd like to know, if only a fool would
echo $_GET['param'];
...then what should i do as an alternative? I want to guess "the same thing i did to PHP_SELF" but i don't really want to guess.

Aside from those two questions, i'd just really appreciate if someone could point me at a N00b-language resource for best security practices, so i can start out doing things right, (e.g. converting the code samples which say "echo $_GET['param'];" to whatever is a better solution), rather than learning the wrong way and having to go back and re-learn.

Thanks,
-jb

P.S., OT, it would also be nice to find a resource called something like "Parentheses, Curly Braces, and Single and Double Quotation Marks for N00bs", because it just seems to me like a lot of the newer code i'm seeing looks much cleaner and more direct than the stuff i saw five years ago, with fewer of the above-mentioned characters.

big_nerd

JB_Smith wrote:
Hello,

I'm in the situation described in Newbie FAQ sticky; i.e. my scripts won't work. I've learned PHP/mySQL fairly well in the past, but most of it is lost in the back of my filing system and i'm starting over.

If you're having problems with specific scripts, post them here so we can review exactly what is going wrong.

JB_Smith wrote:
I'm working out of Kevin Yank's "Build Your Own Database Driven Website" (SitePoint) First Edition, which is like seven years old, but i have the new code samples downloaded from SitePoint, so i can see the more obvious changes like using $_GET() to retrieve variables, etc..

You can use $GET for forms that use method=GET, $POST for forms that use method=POST, and $REQUEST which will take any of the above as well as parameters passed to the page. Only use $REQUEST where needed, of course, which is rare, I use it for test purposes so I can pass parameters when testing my scripts.

JB_Smith wrote:
My problem is i seem to have run into a catch-22 where i don't want to write any scripts without understanding the security consequences, but most the advice makes no sense to me because i haven't read far enough yet to know how to implement it.

E.g. i found out this morning that $_SERVER['PHP_SELF'] is insecure if improperly implemented. The advice given in this case, "write a function for everything", doesn't compute because i don't even understand the functions given as examples.

Then there's all the ambiguously stated advice such as "escape all user input" or "Don't output unescaped input". Even the more specific advice such as given in the sticky i.e. "make sure you use strip_tags(); and use the htmlentities etc." isn't very helpful if i don't know how to use them, in what circumstances, or what is "etc.".

Escaping input is where you will take care of any special charictors that come into play, such as single quote.

It will prevent things like SQL Injection . If you read the wikipedia article it will have information.

If you are still having problems, post your code here and we will help you to implement such security measures. They refer to mysql_escape_string, or the better mysql_real_escape_string.

If you are using MS SQL there are other references as it is escaped differently.

JB_Smith wrote:
The article linked from the PHP_SELF example says, among other things, "only a fool would "echo $_GET['param'];"", and yet that's precisely what my reference material is telling me to do, even in the current (Third Edition) code samples.

It is basically stating that you should not trust the user not to attempt to put in malicous code. It is easier to test / debug without having all of the string manipulation going on, which is why the examples are unescaped.

JB_Smith wrote:
For my immediate purposes, i'd just like to know:

1.) Is the example solution:
htmlentities($SERVER['PHP_SELF'])
...a direct replacement for $SERVER['PHP_SELF'], or if it might do something unexpected to my output and leave me wondering what's wrong.
and,
2.) I'd like to know, if only a fool would
echo $_GET['param'];
...then what should i do as an alternative? I want to guess "the same thing i did to PHP_SELF" but i don't really want to guess.

The htmlentities() command will help prevent certain charictors from changing the way it displays, i.e. if you just echo $_GET['param'] and I enter "»" it will come up with a special charictor, which isn't exactly what I wrote. It will change the string so that it is displayed exactly as it was written in the form.

JB_Smith wrote:
Aside from those two questions, i'd just really appreciate if someone could point me at a N00b-language resource for best security practices, so i can start out doing things right, (e.g. converting the code samples which say "echo $_GET['param'];" to whatever is a better solution), rather than learning the wrong way and having to go back and re-learn.

Thanks,
-jb

P.S., OT, it would also be nice to find a resource called something like "Parentheses, Curly Braces, and Single and Double Quotation Marks for N00bs", because it just seems to me like a lot of the newer code i'm seeing looks much cleaner and more direct than the stuff i saw five years ago, with fewer of the above-mentioned characters.

I would search google, and read the php.net manual. The questions you have asked there are related to programming fundamentals, some of which apply to PHP, Java, C, C#, etc. (use of paretheses and curly braces).

with echo, the single quotes (') will not parse variables, however double quotes will. (in very short)

And PHP is constantly evolving. As is its authors. Most authors now days are following proper coding guidlines with spacing, tabs, etc.

$willnot = "will";
echo 'this $willnot parse variables';
echo "this $willnot parse variables";