General guidance needed, unable to wrap my head around security issues

[kutchbhi]

I have made a classified website. it works and I am proud of it. But as far as securing it goes, I have done almost nothing and I am sure, if in case the site becomes popular, it would be compromised with ease.

 

So I have started reading a book ' essential php security' and am reading several articles on php security online , but am still unable to wrap my head around the whole security issue.

 

Can someone help me ? there are a lot of unfamiliar topics, filtering, escaping , validating, session hijacking etc etc and it all goes over my head.

 

Its a classified website , considering this on what should I concentrate on as far as security goes ? 

btw what I have managed to do is use mysql_real_escape_string on every var going into a mysql $query.

 

Thanks

[thcx]

If the theory of the field annoys you, it's a good idea to be more practical. Read up on the following types of webapp attacks and protect against them:

 

* SQL Injection

* Cross-Site Scripting

* Command Line Injection

* Remote/Local File Inclusion

* Directory Traversal

 

There are of course others, but I'd say that those are among the most important in PHP.

 

[Pikachu2000]

Since it sounds like your website will be forms-driven, you should definitely learn how to validate the incoming data, and whether it should be escaped (not all data should be escaped), or sanitized in another way. That would cover the SQL Injection point in thcx's list. You'd then deal with Cross-Site Scripting (XSS) when displaying the data by stripping out any potentially harmful characters, tags, etc. before echoing it.

 

Also in the XSS arena, learn why using a form tag with action="<?php echo $_SERVER['PHP_SELF']; ?>" is a bad idea, even though some tutorials push that method.

[kutchbhi]

Thanks for the input  . You are right , it is a form driven website.

You'd then deal with Cross-Site Scripting (XSS) when displaying the data by stripping out any potentially harmful characters, tags, etc. before echoing it.

this would be done by htmlspecialchars() ? right ?

 

 

[kutchbhi]

Question:

I have this:

$fileName = $_FILES['image1']['name'];
                                $tmpName  = $_FILES['image1']['tmp_name'];
                                $fileSize = $_FILES['image1']['size'];
                                $fileType = $_FILES['image1']['type'];
uploadfile() ;
echo "<br>File $fileName uploaded<br>";

in this case does fileName needs to be escaped with htmlspecialchars ?

[Pikachu2000]

I stumbled across this site: http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet and it seems fairly comprehensive, but straightforward and understandable. Have a look through it and if there's anything you have further questions about, ask them here. I'm not trying to push you off, but there really isn't much sense in retyping what's already there.

[ricmetal]

hi

 

i am also trying to figure out what i need to do to provide some security against XSS. there's just one thing i haven't quite understood regarding the OWASP library.

 

assuming that it is correct to say that all i need to do to avoid XSS when outputting data to plain text is pass it through htmlspecialchars or htmlentities, is it correct to say that the OWASP library should be used when we need to output data that will be used in active script, like for example an HTML URL?

 

cheers!