Jump to content

Security

waynewex

By waynewex
in PHP Coding Help

 Share

Recommended Posts

waynewex Advanced Member

waynewex

Posted
Posted

Okay guys, I need some opinions on designing secure websites. This will hopefully help others as well as me. So many websites out there are built by PHP newcomers. They sometimes may work well, but they usually have more holes than a golf course. I'll start off my posting what I think are must-dos. Please correct me if I am wrong.

 

  • Use mysql_real_escape_string() instead of addslashes() on all data coming in from external sources as addslashes() can be fooled.
  • Close your mysql connection with mysql_close() after you've finished querying
  • Release mysql results with mysql_release_result() after finishing with query results
  • Do not rely on hidden field values for validation purposes.
  • Test all data coming in, even if it is from a pre-defined html list or radio button
  • Use a salt with your password encryption.
  • On user sessions, once logged in, register their ip address and user agent in the session, and the check them on each page.
  • Add a non-related keyword to your table names in order to fool guessers
  • Connect to the db with a user that doesn't have permissions to drop tables etc.
  • Don't rely on JavaScript to validate user input. Check on server side aswell.
  • On HTML elements such as lists, use numbers as the corresponding value to each option. Then validate to see if its numeric with is_numeric() which returns 1 if it is.
  • Validate uploads as much as you possibly can.
  • Use database passwords that are seemingly random. jh&&£!!hjhd11 etc
  • Place an index page in each directory. If you don't want users to see all files. Add a redirect to it or something.

 

Any problems with that or do you have any additions?

Link to comment
Share on other sites
JD* Member

JD*

Posted
Posted

According to php.net, you don't need to close mysql connections or use mysql_free_result...both are handled when the script is finished executing. Can't hurt to include it, but may be unnecessary.

Link to comment
Share on other sites
br0ken Member

br0ken

Posted
Posted

I agree that any extra security, no matter how slight is a good thing but I'm not sure what releasing query results and closing connections has to do with security. Isn't this more for efficiency? I could be wrong though.

 

Another thing, some ISP's provide dynamic IP's and therefore assigning the IP to a session would break the session each time the users IP changes. I usually call session_regenerate_id() on each page or at least when the user logs in/out. I've also been told that when deleting a session (when a user logs out) you should set all session variables to NULL first. Again, I'm not sure if this is right but I do it anyway.

 

Other than that though everything on the list is definately a good idea security wise.

Link to comment
Share on other sites
wildteen88 Regular Member

wildteen88

Posted
Posted

Yes those are some good tips. However I do not recommend using the users IP address to identify them, as br0ken said the IP can change. The frequency of the change depends on the ISP some provide a new IP address when the modem/computer is restarted, on each page request or hourly/weekly/monthly etc. Also the IP address can be easily spoofed.

 

Try not to use use mysql_real_escape_string on everything. For example if all you want is a number from a user. Make sure the user has provided a number. Or if the user is supposed to give a predefined range of options, eg yes or no check to see if the user has provided  a yes or no answer. I see many people have zero data validation in their code and rely solely on mysql_real_escape_string.

Link to comment
Share on other sites
Wolphie Member

Wolphie

Posted
Posted

Yeah a good point. When getting numbers in from user input I use the following:

 

$id = number_format($_POST['id'], 0, "", "");

 

This way, if anything other than a number is entered a 0 is returned.

 

Erm, why not just use PHP's pre-built is_numeric() function?

Link to comment
Share on other sites
br0ken Member

br0ken

Posted
Posted

Yeah a good point. When getting numbers in from user input I use the following:

 

$id = number_format($_POST['id'], 0, "", "");

 

This way, if anything other than a number is entered a 0 is returned.

 

Erm, why not just use PHP's pre-built is_numeric() function?

 

I just figured my way was more efficient. is_numeric() returns a boolean value so you would need one line of code to get the variable and another to validate it with is_numeric(). Also, if the value is being used in a query, such as an ecommerce website that is requesting a product, the zero will not break the query.

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.