Security Basics

Maharg105

Hi Guys,

I was wondering if you might be able to lend me a little of your expertise. I think that, apart from a few gaping holes in my knowledge, I am becoming a little more proficient in my use of PHP. But, I am still a little vague on security measures.

At the moment I am sanitising all user inputted data that is going to be entered into a database. I then use htmlentities when outputting this data. This (I think) should by an large prevent SQL injection and forms of XSS?

What I am unclear on is whether I need to employ such security methods in mailer forms? I currently use a captcha image so that users need to verify that they are in fact a person. But do I need to put anything else in place. Are they able to execute malicious code through this kind of form. Or would it be best practice to sanitise the data anyway?

Thanks in advance,

Shrike

When crafting mail strings which include user data you need to ensure additional headers are not being passed, for example:

$my_mail_address = 'me@foo.com0x0ABcc: evil@empire.org

Lots of mailer libraries, for example PEAR::Mail, take care of this for you.

bradgrafelman

As Shrike points out, it depends on what you're putting into the e-mail headers. If you're using user-supplied data, you need to make sure it doesn't contain malicious data as well.

Also, out of curiosity, can you describe how you "[sanitize] all user inputted data that is going to be entered into a database" ?

Maharg105

Hey Shrike,

Thanks for the advice mate, I will take a look at that and implement something into my contact processing form.

Brad,

I tend to check the inputted data to ensure that it is in a format I am expecting. For instance, that it is numeric or that is in email address format. Unless the situation dictates otherwise, I only let users input alpha-numeric characters and then before it is inserted into the database, I run every user defined string through mysql_real_escape_string.

Thanks,