Security Measures? {PHP}

Discussion in 'Programming' started by The7thSage, Dec 14, 2011.

  1. The7thSage

    The7thSage Adherent

    298
    65
    +22
    What are some security measures that you take while coding? Especially in PHP.

    Mine I do the following, yet for some reason I feel its not enough.

    • mysql_real_escape_string()
    • htmlspecialchars()
    • Predefined set of tags.
    • Check amount of queries executed per operation.
    • Validation of data types.
    • And md5+salt for sensitive data.

    I'd like to know what other things can be done for protection.
     
  2. xenLiam

    xenLiam Adherent

    381
    95
    +27
    Use sha1 instead of md5. I don't know, but I use sha1, since I heard some things about it on the net. Not sure if it really adds to security, but you never know.
     
  3. gabs777

    gabs777 Neophyte

    3
    1
    +0

    In my experience of better coding, i use this things in my daily routine.

    Database Injection prevention : mysql_real_escape_string();
    I make function that will reverse the get_magic_quote_gpc(); and turn them in to mysql_real_escape_string().

    For password i use sha 256 encoding with 64 characters in length.
    sha1('256', $password); You can salt it or re-encode the sha1 value for making it more secure.

    Validation data : Never trust users input, make a validation class and validate everytime.
     
  4. Judge Dredd

    Judge Dredd Bayerische Motoren Werke

    3,168
    452
    +180
    I use md5. It's fine.

    I also use prepared statements when I feel like it, but for small projects, I don't.
     
  5. taipress

    taipress Aspirant

    30
    6
    +0
    Sha1 does indeed add security, even though it's old and not that great, it's A LOT better than Md5. I recommend the Sha-2 family if you really want security though sha-256 etc...but it'll take more resources/be slower too, so is a trade off.
     
  6. rafalp

    rafalp Desu Ex

    985
    417
    +188
    Add following:


    Session-specific keys in forms and some urls to protect against CSRF.
    Custom gateway for accessing user-uploaded content, ergo "uploads.php?pic=12312" instead of "/uploads/someimage.gif".
     
  7. SkepticGuy

    SkepticGuy CEO, The Above Network

    890
    577
    +61
    Don't just cleanse incoming data for dynamic queries, test it.

    For example, if a variable will never be more than 5 characters, check its length and "exit;" if it's more than 5.

    Or if a variable will always be numeric, do the same if a string is detected.

    If _GET or _POST data contains typical injection strings, do the same.

    This way, your code stops even before the cleansed data is used for a query.

    And always make sure the mysql "user" your web application uses for queries never has rights beyond select, insert, or update.
     
  8. taipress

    taipress Aspirant

    30
    6
    +0
    I think you really should get a book on amazon on PHP security, there's too many little things to mention. And while one can't have 100% security, doing everything you can will definitely help.
     
  9. Judge Dredd

    Judge Dredd Bayerische Motoren Werke

    3,168
    452
    +180
    Oh, and mind you, it's not just your code that matters. Your server configuration and other variables come into play as well!
     
  10. xenLiam

    xenLiam Adherent

    381
    95
    +27
    I use this for handling post data.

    Code:
    foreach($_POST as $postdata) {
      $$postdata = trim(stripslashes($postdata));
    }
    Then just call it as a variable. Like if you have $_POST["user"] then just use $user -- it's cleaned out and trimmed. Although it may cause conflicts with existing variable handles.
     
  11. rafalp

    rafalp Desu Ex

    985
    417
    +188
    Thats bad way to do this because you are stripping yourself from single container for post variables.

    Oh, this reminds me, its good idea to strip \0 character from user input, and normalise new lines to just \n, like phpBB3 does.
     
  12. xenLiam

    xenLiam Adherent

    381
    95
    +27
    What do you mean by "stripping yourself from single container for post variables."?
     
  13. rafalp

    rafalp Desu Ex

    985
    417
    +188
    If you filtered content of $_POST, you would still be able to access all input via $_POST. On other side your code turns post keys into separate variables which is violation of KISS principle... which is going to turn out into massive pain once you try to develop forms framework or session timeout recovery.
     
    • Like Like x 1
  14. xenLiam

    xenLiam Adherent

    381
    95
    +27
    Ah, I see. But for basic stuff the code works.
     
  15. rafalp

    rafalp Desu Ex

    985
    417
    +188
    Even for basic stuff, this code is incorrect. And depending on code structure and variables scopes it may be custom implementation of "register globals" security flaw from PHP 3...
     
  16. xenLiam

    xenLiam Adherent

    381
    95
    +27
    Well, I'm not the best coder. Gonna take that into practice. Thanks, Rafio.
     
  17. rafalp

    rafalp Desu Ex

    985
    417
    +188
    Something else I forgotten but may allow users to bypass "badname" filters: normalisation of monoglyphs.
     
  18. Guerrera

    Guerrera Participant

    74
    13
    +10
    MD5 and SHA1 hash databases are readily available online so to be frank, it doesn't much matter which you use to encode your passwords with - if a SHA1 leaks, it can be easily cracked.

    What matters is how secure your members table is and how little room for SQL injection / query modification you have.

    I validate each and every form input and check against relevant datatypes and datalengths, then I run an escape sequence to check that strings are ready for database input.

    There's also a slurry of custom security I use to control in-site preferences such as:

    Session lockouts on post flooding
    Temporary GeoIP bans for cities / countries in the event of extremely pervasive spammers
    Cross referencing hostname to IP and HTTP headers to detect proxies (which I try to block whenever possible)
    Detection of persistent datastreams / brute force attempt on login / upload forms, which will lock a user out indefinitely.

    Basically, everything has to be checked and double checked.
     
    • Like Like x 1
  19. HallofFamer

    HallofFamer Habitué

    1,148
    322
    +114
    I actually use sha512, but it is a matter of preference. The software I am designing originally used md5 without salt, but now it uses a combination of sha512, salt and pepper(hard-coded). If you actually do a little bit of research, a highly skilled hacker can hack everything, with or without password protection. You cant expect to protect your site against those government site hackers by salting your password with md5 or sha1. The assumption we make here is that you will only have to deal with average hackers or even nonhackers breaking into your site by accidents, and this is where salting with md5 will help. If you somehow make a legendary hacker angry, just pray on your knees.
     
  20. echo_off

    echo_off Life is an illusion...

    1,272
    257
    +88
    I use, like rafio said, a session system, that randomly generates code for each user's session. It is refreshed every time they login back in again. Or if their session expires.

    I commonly use mysql_real_escape_string and various other ones like stripslahes. I am actually doing a security revamp on my EchoBB code, rechecking every single function that handles user input.

    When a user registers, it salts their password and md5's it, is that enough?
     
Verification:
Draft saved Draft deleted