SitePoint Sponsor

User Tag List

Results 1 to 8 of 8
  1. #1
    SitePoint Wizard
    Join Date
    Mar 2008
    Location
    United Kingdom
    Posts
    1,285
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security Tips for PHP/ASP...Add your own!

    Hi!

    Thought all the guru's could all chip into this thread and perhaps some(including myself) could use it as a reference for securing their web applications, that little bit more.
    I understand this could be endless, but would be useful to compile something. Mainly for forms, some are for PHP and some for ASP.

    Here's some of my own(in no real order and with very little detail)...

    1) Do not use Global Variables
    2) USE POST not GET for forms
    3) strip_tags used before any variable processing takes place
    4) preg_match or eregi to validate input against expected format
    5) Check user input against expected data type
    6) Use passthru php function

    7) Escape ALL input before interacts with database
    8) Stripslashes on ALL input / Addslashes on ALL output
    9) Trim all user input
    10) Use htmlspecialchars to get rid of nasty HTML
    11) Use maxlength in HTML forms
    12) Usernames/passwords must contain at least 8 characters, and at least one special character

    13) Passwords should use SHA-256 or higher in db
    14) Never use admin/root for admin username
    15) Create 2 separate areas for Members and Admin
    16) Log total number of logins for each user as well as IP and date/time
    17) Add LIMIT 1 to SQL statements
    18) Check HTTP REFERER against current web server.
    19) Use .htaccess and .htpasswd to restrict to certain IPs
    20) Authenticate by IP address
    21) Login failure 3 times, disable account temporarily
    22) Use Stored procedures

    23) Set Error Reporting to go to your email
    24) Enabling magic_quotes_gpc may help
    25) Check file user has uploaded for suspicious file type and file name
    26) Use one file outside of the root to store database connection info
    27) Use extension .php for any files storing queries to db or important php info
    28) Remove phpinfo.php files from server
    29) Validate session data on each page(using an include file)


    File Permissions, Remote Inclusion, Directory Traversal Attacks, XSS are all fairly unknown to me, so tips on that could be worthwhile.



    This is by far a definitive list, but I think it's a good start and I'm sure there's bits I could fix in it. So please let me know.
    Some may be wrong, so would be happy for clarification.
    Last edited by invision2; Sep 23, 2008 at 12:48.

  2. #2
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    3 Thread(s)
    Strip all html tags from user input ("guest" users anyway, guestbook posts are a good example)

    Never make web-accessible files writeable to the webserver
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  3. #3
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Recreate user Uploaded Images using PHP GD library. (to make sure its an image)
    using suPHP to run the php script as a specific user and access permission protected files.

  4. #4
    Utopia, Inc. silver trophy
    ScallioXTX's Avatar
    Join Date
    Aug 2008
    Location
    The Netherlands
    Posts
    9,097
    Mentioned
    153 Post(s)
    Tagged
    3 Thread(s)
    Quote Originally Posted by YuriKolovsky View Post
    Recreate user Uploaded Images using PHP GD library. (to make sure its an image)
    That's somewhat drastic isn't it? Why not do something like:

    PHP Code:
    if (($info getimagesize($some_file)) === false)
       die(
    'Invalid image');
    if (
    $info[0] < || $info[1] < 1)
       die (
    'Invalid image'); 
    ?
    Rémon - Hosting Advisor

    SitePoint forums will switch to Discourse soon! Make sure you're ready for it!

    Minimal Bookmarks Tree
    My Google Chrome extension: browsing bookmarks made easy

  5. #5
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    nice one.

    heres another
    Making Sure your website is not shown in an IFRAME.
    http://roshanbh.com.np/2008/06/preve...de-iframe.html

  6. #6
    SitePoint Wizard bronze trophy
    Join Date
    Jul 2008
    Posts
    5,757
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by ScallioXTX View Post
    That's somewhat drastic isn't it? Why not do something like:

    PHP Code:
    if (($info getimagesize($some_file)) === false)
       die(
    'Invalid image');
    if (
    $info[0] < || $info[1] < 1)
       die (
    'Invalid image'); 
    ?
    Because recreating the image has a decent chance to strip out any rogue code embedded in the image. Carefully crafted data can be embedded inside of images, and if served to a vulnerable browser or other peice of software, the code may execute.

    getimagesize() just looks at the meta data for the image file, and returns the info the image claims. It doesn't do a virus scan or any other integrity check.

  7. #7
    Hibernator YuriKolovsky's Avatar
    Join Date
    Nov 2007
    Location
    Malaga, Spain
    Posts
    1,072
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    @crmalibu exactly as i thought.

    @everyone
    lets keep this thread as informative as possible (for others to reference)
    add at least one tip on security with every post!
    Tip 36: use
    PHP Code:
    $string mysql_real_escape_string("$string"); 
    instead of
    PHP Code:
    $string addslashes("$string"); 
    to clean strings before adding their contents to a mysql database

  8. #8
    Programming Since 1978 silver trophybronze trophy felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, NSW, Australia
    Posts
    16,875
    Mentioned
    25 Post(s)
    Tagged
    1 Thread(s)
    Validate all fields for what they are expected to contain first. If there is a function that tests it (such as for numeric or alpha fields) then use that. If there isn't a specific function then use a regular expression. Make it as specific as you can. Most fields could not possibly be misused if they are validated properly in the first place. If < ' and " are not valid characters for the field then the field can't possibly contain HTML or anything else that is an attempt to break into your site in the first place.
    Stephen J Chapman

    javascriptexample.net, Book Reviews, follow me on Twitter
    HTML Help, CSS Help, JavaScript Help, PHP/mySQL Help, blog
    <input name="html5" type="text" required pattern="^$">


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •