waynew Posted June 27, 2008 Share Posted June 27, 2008 Okay guys, I need some opinions on designing secure websites. This will hopefully help others as well as me. So many websites out there are built by PHP newcomers. They sometimes may work well, but they usually have more holes than a golf course. I'll start off my posting what I think are must-dos. Please correct me if I am wrong. Use mysql_real_escape_string() instead of addslashes() on all data coming in from external sources as addslashes() can be fooled. Close your mysql connection with mysql_close() after you've finished querying Release mysql results with mysql_release_result() after finishing with query results Do not rely on hidden field values for validation purposes. Test all data coming in, even if it is from a pre-defined html list or radio button Use a salt with your password encryption. On user sessions, once logged in, register their ip address and user agent in the session, and the check them on each page. Add a non-related keyword to your table names in order to fool guessers Connect to the db with a user that doesn't have permissions to drop tables etc. Don't rely on JavaScript to validate user input. Check on server side aswell. On HTML elements such as lists, use numbers as the corresponding value to each option. Then validate to see if its numeric with is_numeric() which returns 1 if it is. Validate uploads as much as you possibly can. Use database passwords that are seemingly random. jh&&£!!hjhd11 etc Place an index page in each directory. If you don't want users to see all files. Add a redirect to it or something. Any problems with that or do you have any additions? Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/ Share on other sites More sharing options...
JD* Posted June 27, 2008 Share Posted June 27, 2008 According to php.net, you don't need to close mysql connections or use mysql_free_result...both are handled when the script is finished executing. Can't hurt to include it, but may be unnecessary. Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-575922 Share on other sites More sharing options...
waynew Posted June 27, 2008 Author Share Posted June 27, 2008 I know but I'm from the school of thought that says extra layers of security work well. Make your house safer than your neighbours. Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-575935 Share on other sites More sharing options...
br0ken Posted June 27, 2008 Share Posted June 27, 2008 I agree that any extra security, no matter how slight is a good thing but I'm not sure what releasing query results and closing connections has to do with security. Isn't this more for efficiency? I could be wrong though. Another thing, some ISP's provide dynamic IP's and therefore assigning the IP to a session would break the session each time the users IP changes. I usually call session_regenerate_id() on each page or at least when the user logs in/out. I've also been told that when deleting a session (when a user logs out) you should set all session variables to NULL first. Again, I'm not sure if this is right but I do it anyway. Other than that though everything on the list is definately a good idea security wise. Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-576127 Share on other sites More sharing options...
wildteen88 Posted June 27, 2008 Share Posted June 27, 2008 Yes those are some good tips. However I do not recommend using the users IP address to identify them, as br0ken said the IP can change. The frequency of the change depends on the ISP some provide a new IP address when the modem/computer is restarted, on each page request or hourly/weekly/monthly etc. Also the IP address can be easily spoofed. Try not to use use mysql_real_escape_string on everything. For example if all you want is a number from a user. Make sure the user has provided a number. Or if the user is supposed to give a predefined range of options, eg yes or no check to see if the user has provided a yes or no answer. I see many people have zero data validation in their code and rely solely on mysql_real_escape_string. Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-576163 Share on other sites More sharing options...
br0ken Posted June 27, 2008 Share Posted June 27, 2008 Yeah a good point. When getting numbers in from user input I use the following: $id = number_format($_POST['id'], 0, "", ""); This way, if anything other than a number is entered a 0 is returned. Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-576167 Share on other sites More sharing options...
Wolphie Posted June 27, 2008 Share Posted June 27, 2008 Quote Yeah a good point. When getting numbers in from user input I use the following: $id = number_format($_POST['id'], 0, "", ""); This way, if anything other than a number is entered a 0 is returned. Erm, why not just use PHP's pre-built is_numeric() function? Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-576175 Share on other sites More sharing options...
dannyb785 Posted June 27, 2008 Share Posted June 27, 2008 How can addslashes be fooled?? ??? Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-576177 Share on other sites More sharing options...
br0ken Posted June 27, 2008 Share Posted June 27, 2008 Quote Quote Yeah a good point. When getting numbers in from user input I use the following: $id = number_format($_POST['id'], 0, "", ""); This way, if anything other than a number is entered a 0 is returned. Erm, why not just use PHP's pre-built is_numeric() function? I just figured my way was more efficient. is_numeric() returns a boolean value so you would need one line of code to get the variable and another to validate it with is_numeric(). Also, if the value is being used in a query, such as an ecommerce website that is requesting a product, the zero will not break the query. Quote Link to comment https://forums.phpfreaks.com/topic/112168-security/#findComment-576189 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.