Security precautions in a popular website

**Zurev** · Oct 6, 2009 17:37

I'm coding for a fairly popular website, that will be used by a large group of people. I have two major concerns, securing the input that gets passed through to a MySQL database, and securing $_GET information. Since I'm coding all the scripts myself, I'm using this simple method to secure $_GET:

PHP Code:


$action = $_GET['action'];

$action_possible = array("register", "login", "logout");



// If the action isn't register,login, or logout, Kill the script.

if (!in_array($action, $action_possible))

    {

           die();

        }

I'm fairly confident that this method will work fine, though if you see a flaw, I'd appreciate the criticism.

Now for user input, all input inserted into the database is passed through an insert function, all user input is passed through this function:

PHP Code:


function escape($input){

    if(get_magic_quotes_gpc())

        {

            $input = stripslashes($input);

        } else {

        $input = addslashes($input);

    }



        $input = mysql_real_escape_string($input);

        return $input;

}

I appreciate any help or advice you have to offer, thank you.

**cranial-bore** · Oct 6, 2009 18:21

PHP Code:


if(get_magic_quotes_gpc())
    {
        $input = stripslashes($input);
    } else {
    $input = addslashes($input);
}

This seems weird. If magic quotes is on, then you remove the slashes.
If it was off then you add them.

So $input will vary depending on that setting. I think you were trying to get $input to be in a known state, without slashes, so you could use m_r_e_s()
Remove else { $input = addslashes($input); }

**Selkirk** · Oct 6, 2009 20:13

Just turn off magic quotes and forget about em.

Don't forget to escape your output.

**skunkbad** · Oct 6, 2009 23:34

Take a look at filter_input(). It's a good start for your filtering needs.

http://us.php.net/filter_input

I've been using CodeIgniter, and it takes care of all of this stuff so I don't have to think about it. I used to be a framework hater, so I know frameworks aren't for everyone. Something to consider though.

**lorenw** · Oct 7, 2009 07:23

Don't forget XSS, Google for
XSS cheat sheet

The first link will have a few things to try with your forms. I tried it on some of my foms and sure enough I got the JavaScript popup.

The soution to use is here.
http://htmlpurifier.org/

It really does work as advertised.

Just something other than injection to guard against.

User Tag List

Thread: Security precautions in a popular website

Thread Tools

Display

Security precautions in a popular website

Bookmarks

Bookmarks

Posting Permissions