Air-tight Security

[LemonInflux]

Hello, again. I am in the midst of a project that requires a huge amount of security and privacy, and I was wondering how I can stop mysql injection, XSS, and other security breaches (I know I can't completely stop them, but I want to try and make it as hard as possible for hackers to find out what's in the database). So far, I've thought of mysql_real_escape_string(). Are there/what are the others?

[dbo]

HTMLPurifier for the XSS

[LemonInflux]

link? It wasn't on php.net

[Psycho]

Two words: Validation and Cleansing.

 

Every piece of data that is received by the user should be validated - and i mean everything. If you have a hidden field in a form that you are pre-populating with data never assume that the data received for that field is valid data. Someone can simply recreate your form with whatever data they want and submit it (although you can, and in some cases should, prevent the posting of data not from your site). Another example is when you create links with values passed ont he query string. Even though you are creating the links for the user, there's nothing to stop them from typing a similar link into their browser and using data you don't intend to receive.

 

By the same token, the data should be cleaned. mysql_real_escape_string() is the best way I know of to prevent SQL injection. Also, for any data you receive you need to know what it's purpose is. Is it valid to have HTML data? If not then you need to use something like htmlspecialchars() to transform the HTML code into it's equivalent escaped text. That is why just about every forum does not accept HTML code. Instead most use BB code which justs creates a small subset of HTML equivalent codes. For instance you can use [ b ], but not [ script ].

[dbo]

Yup. Good suggestions. You always need to verify that data you're letting into your applications is what you expect. Make users follow your rules. This means if you want phone numbers make them enter it in the right format using regular expression validation, etc.

 

HTMLPurifier is an opensource package. It uses pretty standard PHP functions to do it. Simple google should let you find it and download.

[LemonInflux]

Thanks for all your responses. I'm not going to have BBCode or HTML, so I guess I can use htmlspecialchars. Also, when you say validate, what do you mean? if($field = 'blah') stuff? Or is there another way?

[Psycho]

The BB code was only an example. YOU need to determine what each piece of submitted data is going to be used for and validate/clean it accordingly.

 

By validate I mean ensuring the data entered is of the correct type and within the appropriate values.

 

Let's take an example of someone who is created a script to show a table of records from the database. Because there are many records he is showing 10 records per page and has created a pagination function. The links for Next and Prev use a variable on the query string to pass the appropriate page number to show ($_GET['page']).

 

When the script runs it will check if $_GET['page'] has been set. If it has it will show the appropriate page of records, if not it will default to page one. I usually see something like this:

 

if (isset($_GET['page'])) {
    $page = $_GET['page'];
} else {
    $page = 1;
}

 

But, that is not enough. The passed value should be checked to ensure 1) It is a numeric value, 2) That it is a whole number, 3) That is it a positive number, and 4) That is is not greater than the possbile number of pages. If the value does not pass all of those criteria there will be an error. But, with something like a pagination script the programmer is creating the links and does not consider that the user will input values on the query string.

 

I would use something like this:

 

//Use (int) to convert the posted value to an integer:
// - If the posted value is an integer convert from a string value to a numeric value
// - If it is a numeric value, but not an int it will be converted to an int (4.3 becomes 4)
// - If it is not numeric then it is converted to 0
$page = (int) $_POST['password'];

//Test if the value is at least 1 and not greater than the total number of pages
// - total pages would be done through a db query
if ($page<1 || $page>$total_pages)  { $page = 1; }

[alpha2zee]

For filtering input, one may also think of using <a href="http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/index.php">htmLawed</a>, a highly customizable, 45 kb, single file, non-OOP PHP script to filter and purify HTML. Besides restricting tags/elements, attributes and URL protocols as per one's specification, and balancing HTML tags and ensuring valid tag nesting/well-formedness, it also has good anti-XSS and anti-spam measures.