General Programming Discussions Discuss Various Programming Languages Used In Website Management.

Reply
 
Thread Tools

  #1  
Old 12-14-2011, 10:08 AM
The7thSage's Avatar
The7thSage The7thSage is offline
Tazmanian
 
Join Date: Aug 2011
Admin Experience: Advanced
Posts: 298
The7thSage is a glorious beacon of lightThe7thSage is a glorious beacon of lightThe7thSage is a glorious beacon of light
Default Security Measures? {PHP}
What are some security measures that you take while coding? Especially in PHP.

Mine I do the following, yet for some reason I feel its not enough.
  • mysql_real_escape_string()
  • htmlspecialchars()
  • Predefined set of tags.
  • Check amount of queries executed per operation.
  • Validation of data types.
  • And md5+salt for sensitive data.

I'd like to know what other things can be done for protection.
Reply With Quote
  #2  
Old 12-14-2011, 07:12 PM
xenLiam's Avatar
xenLiam xenLiam is offline
Tazmanian
 
Real Name: Liam Demafelix
Join Date: Oct 2010
Admin Experience: Guru
Location: The Internet
Posts: 350
xenLiam is a glorious beacon of lightxenLiam is a glorious beacon of lightxenLiam is a glorious beacon of light
Default
Use sha1 instead of md5. I don't know, but I use sha1, since I heard some things about it on the net. Not sure if it really adds to security, but you never know.
Reply With Quote
  #3  
Old 02-15-2012, 04:57 AM
gabs777 gabs777 is offline
TAZ Rookie
 
Real Name: Gabriel Inbuon
Join Date: Oct 2010
Posts: 3
gabs777 is on a distinguished road
Default
Quote:
Originally Posted by The7thSage View Post
What are some security measures that you take while coding? Especially in PHP.

Mine I do the following, yet for some reason I feel its not enough.
  • mysql_real_escape_string()
  • htmlspecialchars()
  • Predefined set of tags.
  • Check amount of queries executed per operation.
  • Validation of data types.
  • And md5+salt for sensitive data.

I'd like to know what other things can be done for protection.

In my experience of better coding, i use this things in my daily routine.

Database Injection prevention : mysql_real_escape_string();
I make function that will reverse the get_magic_quote_gpc(); and turn them in to mysql_real_escape_string().

For password i use sha 256 encoding with 64 characters in length.
sha1('256', $password); You can salt it or re-encode the sha1 value for making it more secure.

Validation data : Never trust users input, make a validation class and validate everytime.
Reply With Quote
  #4  
Old 02-15-2012, 09:10 AM
Judge Dredd's Avatar
Judge Dredd Judge Dredd is offline
Tazmanian
 
Real Name: Dustin
Join Date: Apr 2011
Admin Experience: Intermediate
Location: Arizona
Posts: 3,064
Judge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud of
Default
I use md5. It's fine.

I also use prepared statements when I feel like it, but for small projects, I don't.
Reply With Quote
  #5  
Old 02-16-2012, 04:26 AM
taipress taipress is offline
TAZ Regular
 
Join Date: Jan 2012
Posts: 30
taipress is on a distinguished road
Default
Quote:
Originally Posted by xenLiam View Post
Use sha1 instead of md5. I don't know, but I use sha1, since I heard some things about it on the net. Not sure if it really adds to security, but you never know.
Sha1 does indeed add security, even though it's old and not that great, it's A LOT better than Md5. I recommend the Sha-2 family if you really want security though sha-256 etc...but it'll take more resources/be slower too, so is a trade off.
__________________
Check out http://cheapvpsdeals.info for budget VPS listings. Updated daily and now has a great feature search!
Reply With Quote
  #6  
Old 02-20-2012, 08:44 PM
Rafio's Avatar
Rafio Rafio is offline
Desu Ex
 
Real Name: Rafał
Join Date: Feb 2008
Admin Experience: Guru
Location: Polska -> Wrocław
Age: 24
Posts: 719
Rafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to all
Default
Quote:
Originally Posted by The7thSage View Post
  • mysql_real_escape_string()
  • htmlspecialchars()
  • Predefined set of tags.
  • Check amount of queries executed per operation.
  • Validation of data types.
  • And md5+salt for sensitive data.
Add following:


Session-specific keys in forms and some urls to protect against CSRF.
Custom gateway for accessing user-uploaded content, ergo "uploads.php?pic=12312" instead of "/uploads/someimage.gif".
__________________
Find me there: Misago - Python Forum Software | Medium | Twitter | Github
Reply With Quote
  #7  
Old 02-20-2012, 11:01 PM
SkepticGuy's Avatar
SkepticGuy SkepticGuy is offline
CEO, The Above Network
 
Join Date: Jul 2004
Admin Experience: Guru
Posts: 445
SkepticGuy is a splendid one to beholdSkepticGuy is a splendid one to beholdSkepticGuy is a splendid one to beholdSkepticGuy is a splendid one to beholdSkepticGuy is a splendid one to beholdSkepticGuy is a splendid one to beholdSkepticGuy is a splendid one to behold
Default
Don't just cleanse incoming data for dynamic queries, test it.

For example, if a variable will never be more than 5 characters, check its length and "exit;" if it's more than 5.

Or if a variable will always be numeric, do the same if a string is detected.

If _GET or _POST data contains typical injection strings, do the same.

This way, your code stops even before the cleansed data is used for a query.

And always make sure the mysql "user" your web application uses for queries never has rights beyond select, insert, or update.
__________________
AboveTopSecret.com
Reply With Quote
  #8  
Old 02-21-2012, 09:55 PM
taipress taipress is offline
TAZ Regular
 
Join Date: Jan 2012
Posts: 30
taipress is on a distinguished road
Default
I think you really should get a book on amazon on PHP security, there's too many little things to mention. And while one can't have 100% security, doing everything you can will definitely help.
__________________
Check out http://cheapvpsdeals.info for budget VPS listings. Updated daily and now has a great feature search!
Reply With Quote
  #9  
Old 02-21-2012, 11:36 PM
Judge Dredd's Avatar
Judge Dredd Judge Dredd is offline
Tazmanian
 
Real Name: Dustin
Join Date: Apr 2011
Admin Experience: Intermediate
Location: Arizona
Posts: 3,064
Judge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud ofJudge Dredd has much to be proud of
Default
Oh, and mind you, it's not just your code that matters. Your server configuration and other variables come into play as well!
Reply With Quote
  #10  
Old 02-22-2012, 07:40 AM
xenLiam's Avatar
xenLiam xenLiam is offline
Tazmanian
 
Real Name: Liam Demafelix
Join Date: Oct 2010
Admin Experience: Guru
Location: The Internet
Posts: 350
xenLiam is a glorious beacon of lightxenLiam is a glorious beacon of lightxenLiam is a glorious beacon of light
Default
I use this for handling post data.

Code:
foreach($_POST as $postdata) {
  $$postdata = trim(stripslashes($postdata));
}
Then just call it as a variable. Like if you have $_POST["user"] then just use $user -- it's cleaned out and trimmed. Although it may cause conflicts with existing variable handles.
Reply With Quote
  #11  
Old 02-22-2012, 08:46 AM
Rafio's Avatar
Rafio Rafio is offline
Desu Ex
 
Real Name: Rafał
Join Date: Feb 2008
Admin Experience: Guru
Location: Polska -> Wrocław
Age: 24
Posts: 719
Rafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to all
Default
Thats bad way to do this because you are stripping yourself from single container for post variables.

Oh, this reminds me, its good idea to strip \0 character from user input, and normalise new lines to just \n, like phpBB3 does.
__________________
Find me there: Misago - Python Forum Software | Medium | Twitter | Github
Reply With Quote
  #12  
Old 02-22-2012, 09:54 AM
xenLiam's Avatar
xenLiam xenLiam is offline
Tazmanian
 
Real Name: Liam Demafelix
Join Date: Oct 2010
Admin Experience: Guru
Location: The Internet
Posts: 350
xenLiam is a glorious beacon of lightxenLiam is a glorious beacon of lightxenLiam is a glorious beacon of light
Default
What do you mean by "stripping yourself from single container for post variables."?
Reply With Quote
  #13  
Old 02-22-2012, 10:31 AM
Rafio's Avatar
Rafio Rafio is offline
Desu Ex
 
Real Name: Rafał
Join Date: Feb 2008
Admin Experience: Guru
Location: Polska -> Wrocław
Age: 24
Posts: 719
Rafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to all
Default
If you filtered content of $_POST, you would still be able to access all input via $_POST. On other side your code turns post keys into separate variables which is violation of KISS principle... which is going to turn out into massive pain once you try to develop forms framework or session timeout recovery.
__________________
Find me there: Misago - Python Forum Software | Medium | Twitter | Github
Reply With Quote
  #14  
Old 02-22-2012, 11:18 AM
xenLiam's Avatar
xenLiam xenLiam is offline
Tazmanian
 
Real Name: Liam Demafelix
Join Date: Oct 2010
Admin Experience: Guru
Location: The Internet
Posts: 350
xenLiam is a glorious beacon of lightxenLiam is a glorious beacon of lightxenLiam is a glorious beacon of light
Default
Ah, I see. But for basic stuff the code works.
Reply With Quote
  #15  
Old 02-22-2012, 11:40 AM
Rafio's Avatar
Rafio Rafio is offline
Desu Ex
 
Real Name: Rafał
Join Date: Feb 2008
Admin Experience: Guru
Location: Polska -> Wrocław
Age: 24
Posts: 719
Rafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to all
Default
Quote:
Originally Posted by xenLiam View Post
Ah, I see. But for basic stuff the code works.
Even for basic stuff, this code is incorrect. And depending on code structure and variables scopes it may be custom implementation of "register globals" security flaw from PHP 3...
__________________
Find me there: Misago - Python Forum Software | Medium | Twitter | Github
Reply With Quote
  #16  
Old 02-22-2012, 10:37 PM
xenLiam's Avatar
xenLiam xenLiam is offline
Tazmanian
 
Real Name: Liam Demafelix
Join Date: Oct 2010
Admin Experience: Guru
Location: The Internet
Posts: 350
xenLiam is a glorious beacon of lightxenLiam is a glorious beacon of lightxenLiam is a glorious beacon of light
Default
Well, I'm not the best coder. Gonna take that into practice. Thanks, Rafio.
Reply With Quote
  #17  
Old 02-27-2012, 08:32 PM
Rafio's Avatar
Rafio Rafio is offline
Desu Ex
 
Real Name: Rafał
Join Date: Feb 2008
Admin Experience: Guru
Location: Polska -> Wrocław
Age: 24
Posts: 719
Rafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to allRafio is a name known to all
Default
Something else I forgotten but may allow users to bypass "badname" filters: normalisation of monoglyphs.
__________________
Find me there: Misago - Python Forum Software | Medium | Twitter | Github
Reply With Quote
  #18  
Old 03-31-2012, 10:38 AM
Guerrera's Avatar
Guerrera Guerrera is offline
TAZ Regular
 
Join Date: Mar 2012
Admin Experience: Intermediate
Posts: 74
Guerrera is just really niceGuerrera is just really nice
Default
MD5 and SHA1 hash databases are readily available online so to be frank, it doesn't much matter which you use to encode your passwords with - if a SHA1 leaks, it can be easily cracked.

What matters is how secure your members table is and how little room for SQL injection / query modification you have.

I validate each and every form input and check against relevant datatypes and datalengths, then I run an escape sequence to check that strings are ready for database input.

There's also a slurry of custom security I use to control in-site preferences such as:

Session lockouts on post flooding
Temporary GeoIP bans for cities / countries in the event of extremely pervasive spammers
Cross referencing hostname to IP and HTTP headers to detect proxies (which I try to block whenever possible)
Detection of persistent datastreams / brute force attempt on login / upload forms, which will lock a user out indefinitely.

Basically, everything has to be checked and double checked.
Reply With Quote
  #19  
Old 04-09-2012, 05:07 AM
HallofFamer's Avatar
HallofFamer HallofFamer is offline
Tazmanian
 
Real Name: ??
Join Date: Sep 2010
Admin Experience: Advanced
Location: Ithaca
Posts: 1,060
HallofFamer has much to be proud ofHallofFamer has much to be proud ofHallofFamer has much to be proud ofHallofFamer has much to be proud ofHallofFamer has much to be proud ofHallofFamer has much to be proud ofHallofFamer has much to be proud ofHallofFamer has much to be proud of
Default
I actually use sha512, but it is a matter of preference. The software I am designing originally used md5 without salt, but now it uses a combination of sha512, salt and pepper(hard-coded). If you actually do a little bit of research, a highly skilled hacker can hack everything, with or without password protection. You cant expect to protect your site against those government site hackers by salting your password with md5 or sha1. The assumption we make here is that you will only have to deal with average hackers or even nonhackers breaking into your site by accidents, and this is where salting with md5 will help. If you somehow make a legendary hacker angry, just pray on your knees.
__________________
In a perfect script, everything is an object.
Reply With Quote
  #20  
Old 04-09-2012, 06:05 AM
echo_off's Avatar
echo_off echo_off is offline
Life is an illusion...
 
Real Name: Caelan Stewart
Join Date: Mar 2011
Admin Experience: Intermediate
Location: Folkestone, UK
Age: 16
Posts: 1,170
echo_off is a name known to allecho_off is a name known to allecho_off is a name known to allecho_off is a name known to allecho_off is a name known to allecho_off is a name known to all
Default
I use, like rafio said, a session system, that randomly generates code for each user's session. It is refreshed every time they login back in again. Or if their session expires.

I commonly use mysql_real_escape_string and various other ones like stripslahes. I am actually doing a security revamp on my EchoBB code, rechecking every single function that handles user input.

When a user registers, it salts their password and md5's it, is that enough?
Reply With Quote
Reply

  Admin Zone Forums > The Development Zone > General Programming Discussions





Currently Active Users Viewing this Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
The use of captcha and other security measures adigaskell Community Organization 3 01-23-2007 06:37 AM
what security measures should i take when creating a comments section in php? ktk General Programming Discussions 10 12-25-2006 09:53 PM
anti-spam measures? 64North phpBB 6 08-23-2006 11:34 PM
Other Measures? The Sandman Site Security 7 01-11-2004 11:46 PM


 

All times are GMT -4. The time now is 06:25 AM.


Powered by: vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Page generated in 0.10624790 seconds with 15 queries
The Admin Zone copyright 2003-2014 All Rights Reserved. Content published on The Admin Zone requires permission for reprint.