Security Setup...is this good or not?

[Darx07]

I'm making my own CMS system & I wanted to ask if this layout for security will work. I already coded my login, logout, register, & template scripts. I also have an anti SQL injection script that is really effective. I'm trying to keep security in mind the entire time & now I am beginning to code the user panel & admin panel, but I want to make sure my ideas for security will work.

 

Please point out any flaws/security holes that may arise.

 

 

On any page:

-POST values are checked for SQL Injection Code

 

On any "logged in" page:

Before Page Loaded--

- Check to make sure a SESSION value exists for username SESSION variable

- Check to make sure username exists in database

- Check SESSION variable with password md5 hash against md5 of password retrieved from database

After Submitting Form--

- POST values checked for SQL Injection Code

- Same 3 checks listed above

 

On any Admin Page:

- Same checks as above

- SESSION variable for admin (yes or no) is checked w/ database to verify

 

 

Additionally, I'll make 2 database users. One that can ONLY update/insert, one that can ONLY read.

 

Another Question: Is Acunetix Web Security Scanner pretty good to go by? I plan on getting that and testing with my code.

 

[ignace]

The first step in securing your application is know thy enemy and their methods. SQL Injection is one and Session Hijacking is another and I'm only scratching the surface. I have seen people apply 10 or more functions to some input while a simple typecast or intval() would have sufficed. Apply what you know about the expected input and validate the provided input against that knowledge: If it's a string then it may have a minimum and maximum length, it may only contain alphanumeric characters, etc..

 

Write tests and testable code and make sure your tests cover most of your code. Provide both valid as invalid input and make sure your test fails if the input is invalid.

[Darx07]

ok i blocked against these things:

1. XSS

2. SQL injection

3. Editing SESSION values to authenticate

4. Editing SESSION values w/ SQL injection code

 

& I added protection to sensitive files with .htaccess

 

What else should I look for? Is it possible to make a site 100% secure?

[dreamwest]

<IfModule mod_security.c>
SecFilterEngine Off
SecFilterScanPOST Off
</IfModule>

# explicitly disable caching for scripts and other dynamic files
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>

# stop ppl from browsing indexes
Options -Indexes

# disable the server signature
ServerSignature Off

# prevent folder listing
IndexIgnore *

[Darx07]

thanks! i had the Options -Indexes feature but missed the others.

[corbin]

# explicitly disable caching for scripts and other dynamic files

<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">

Header unset Cache-Control

</FilesMatch>

 

 

This is just a matter of opinion, but I personally think that should be handled at a per-script level.  By adding that line in, you make it impossible to have a script be cached.  What if you want something to be cached?

 

 

Make a <Files> block just for it or something?

[Darx07]

# explicitly disable caching for scripts and other dynamic files
<FilesMatch "\.(pl|php|cgi|spl|scgi|fcgi)$">
Header unset Cache-Control
</FilesMatch>

 

leads to:

Internal Server Error

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, admin@localhost and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

[Batosi]

One little update dont just sanitize POST do it for GET aswell. Say you have a profile page and you use profile.php?id=## if you dont sanitize $_GET[id] that can be used against you aswell.

[Darx07]

One little update dont just sanitize POST do it for GET aswell. Say you have a profile page and you use profile.php?id=## if you dont sanitize $_GET[id] that can be used against you aswell.

 

Ty for reply. I actually updated the code to sanitize POST, GET, SESSION, COOKIE