PHP Security

[c_pattle]

I'm building an e-commerce website using php and mysql and I'm a bit worried about security issues.  The website is going to be handling personal information so I want to make sure that it's secure and that no-one can get hold of it.  I don't really have any idea about and security issues or problems that I could run into and perhaps you could point me in the direction or some tutorials that would be really great.  Also if anyone here has been in the same situation what did you do to make your site as secure as possible?

 

Thanks for any help. 

[mattspriggs28]

One thing you could do is to use mysql_real_escape_string in your database queries to prevent any injection attacks. For example, instead of:

 

$qry = "Select * from table where id = " . $id . " and status = '" . $status . "'";

$res = mysql_query($qry);

 

You could use:

 

$qry = sprintf("Select * from table where id = %s and status = '%s'", 
mysql_real_escape_string($id), 
mysql_real_escape_string($status));

$res = mysql_query($qry);

 

This will strip out any special characters that may be used to try an injection attack such as apostrophe, minus etc.

[phil88]

Just as an extension to mattspriggs28's post - the main thing to know is never trust any data given to your website by the user. That data can be tampered with by the user and, if you're not careful, could cause havoc with your app. Running user supplied parameters through mysql_real_escape_string() like mattspriggs said is a good idea as it helps prevent the 'havoc' by escaping any characters that could modify the SQL query into something unplanned.

[AtlasC1]

I would also avoid printing any user input directly back to the screen, without first stripping it of its HTML tags. For a really simple example, say you have the user search for an item in a catalog, then consider the resulting code:

 

<?php
echo 'Search results for' , $_POST['searchTarget'] , '<br/>';
foreach($searchResults as $result) {
// code to print results to screen
}
?>

 

What if the user had input something like this into the searchTarget field?: <script type="text/javascript> *insert malicious script here* </script>

 

You should use something along the lines of htmlentities() or strip_tags() to get rid of any HTML tags.

 

// user inputs <strong>Hello</strong>
echo 'Search results for' , htmlentities($_POST['searchTarget']) , '<br/>'; // results in <strong>Hello</strong>
echo 'Search results for' , strip_tags($_POST['searchTarget']) , '<br/>'; // results in Hello

 

It's also a good idea to get rid of the "/" character in any strings the user inputs, as this is often used for directory navigation

str_replace('/', '', $_POST['userInput']);

These practices will help protect your site from scripting attacks.

 

-jm

[c_pattle]

Thanks for your posts.  A lot of useful information there

[CONFUSIONUK]

It's also a good idea to get rid of the "/" character in any strings the user inputs, as this is often used for directory navigation str_replace('/', '', $_POST['userInput']); These practices will help protect your site from scripting attacks.

 

Could you not just use

stripslashes()

to remove slashes 

[CONFUSIONUK]

Sorry that removes backslashes