SitePoint Sponsor

User Tag List

Results 1 to 5 of 5
  1. #1
    SitePoint Zealot Zurev's Avatar
    Join Date
    Feb 2009
    Posts
    171
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Security precautions in a popular website

    I'm coding for a fairly popular website, that will be used by a large group of people. I have two major concerns, securing the input that gets passed through to a MySQL database, and securing $_GET information. Since I'm coding all the scripts myself, I'm using this simple method to secure $_GET:
    PHP Code:
    $action $_GET['action'];
    $action_possible = array("register""login""logout");

    // If the action isn't register,login, or logout, Kill the script.
    if (!in_array($action$action_possible))
        {
               die();
            } 
    I'm fairly confident that this method will work fine, though if you see a flaw, I'd appreciate the criticism.

    Now for user input, all input inserted into the database is passed through an insert function, all user input is passed through this function:
    PHP Code:
    function escape($input){
        if(
    get_magic_quotes_gpc())
            {
                
    $input stripslashes($input);
            } else {
            
    $input addslashes($input);
        }

            
    $input mysql_real_escape_string($input);
            return 
    $input;

    I appreciate any help or advice you have to offer, thank you.

  2. #2
    SitePoint Wizard cranial-bore's Avatar
    Join Date
    Jan 2002
    Location
    Australia
    Posts
    2,634
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:
    if(get_magic_quotes_gpc())
        {
            
    $input stripslashes($input);
        } else {
        
    $input addslashes($input);

    This seems weird. If magic quotes is on, then you remove the slashes.
    If it was off then you add them.

    So $input will vary depending on that setting. I think you were trying to get $input to be in a known state, without slashes, so you could use m_r_e_s()
    Remove else { $input = addslashes($input); }

  3. #3
    SitePoint Guru
    Join Date
    Nov 2002
    Posts
    841
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Just turn off magic quotes and forget about em.

    Don't forget to escape your output.

  4. #4
    SitePoint Addict skunkbad's Avatar
    Join Date
    Apr 2008
    Location
    Temecula, CA
    Posts
    278
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Take a look at filter_input(). It's a good start for your filtering needs.

    http://us.php.net/filter_input

    I've been using CodeIgniter, and it takes care of all of this stuff so I don't have to think about it. I used to be a framework hater, so I know frameworks aren't for everyone. Something to consider though.

  5. #5
    SitePoint Wizard lorenw's Avatar
    Join Date
    Feb 2005
    Location
    was rainy Oregon now sunny Florida
    Posts
    1,101
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Don't forget XSS, Google for
    XSS cheat sheet

    The first link will have a few things to try with your forms. I tried it on some of my foms and sure enough I got the JavaScript popup.

    The soution to use is here.
    http://htmlpurifier.org/

    It really does work as advertised.

    Just something other than injection to guard against.
    What I lack in acuracy I make up for in misteaks


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •