...

View Full Version : Best Practices - PHP Security



JohnDubya
04-04-2007, 08:12 PM
So I want to know some good, simple ways to protect my sites and the users of my sites. I have learned to use mysql_real_escape_string when putting anything into the database. With my username/passwords, I use sha1() hashes to store the passwords. Etc. etc. But I'm wondering if there are common security things that should always be done on a site that interacts with users. When I log my users in, I store the username and user_id in $_SESSION variables. Is that safe? I've heard about checking the session id as well. Is that completely necessary?

Please address concerns like these. Ready...set...GO! :D

iLLin
04-04-2007, 08:40 PM
I keep register globals off and use all superglobals such as $_POST, $_GET, $_REQUEST.

Also when I do user authentication, i save there session info to the database in the user table for there id. I save their username and id in the session but not the password. Then every page requiring auth, I bump the id, username and session id to the table.

Some apps I have created I also bump the IP address in the table too for more security. I also bump the browser/build as well. But the IP always sux due to proxy's/aol and what not.

JohnDubya
04-04-2007, 08:42 PM
Also when I do user authentication, i save there session info to the database in the user table for there id. I save their username and id in the session but not the password. Then every page requiring auth, I bump the id, username and session id to the table.



How exactly do you save the session info in the DB? Do you have a column specifically for this info, or what?

iLLin
04-04-2007, 08:48 PM
Yes, when the session is started I verify user/pass then update with IP (some apps) and session_id, both have their own columns in the db.

username, password, session, ip ...etc

Then I bump it all up every page, if the ip changes, $this->error = "Ip has changed session have been destroyed, please relogin"... or w/e. If the session has expired (timed out), $this->error = "Session has expired, please relogin"; return false....

You get the idea :D

But thats just user auth I do. What do other people do and what about form injections? I escape all my strings to but what other things should we be conscious of?

aedrin
04-04-2007, 08:55 PM
I have learned to use mysql_real_escape_string when putting anything into the database.


What do other people do and what about form injections? I escape all my strings to but what other things should we be conscious of?

Prepared statements will prevent a lot (if not all) SQL injections.


Then I bump it all up every page

Not for security, but I generally avoid as much DB interaction as I can. Especially writing. If you update the session ID every time a page loads, your DB is constantly updating records and could reduce stability. I'd store the initial IP that started the session in $_SESSION, and then compare on each request with the current remote address. Then if it is different do your usual thing.

iLLin
04-04-2007, 09:04 PM
Not for security, but I generally avoid as much DB interaction as I can. Especially writing. If you update the session ID every time a page loads, your DB is constantly updating records and could reduce stability. I'd store the initial IP that started the session in $_SESSION, and then compare on each request with the current remote address. Then if it is different do your usual thing.

Yea thats what I meant by bumping it. I don't update. Only on initial login. Then i just bump the info to the info at present and make sure its the same, if not I error out. I guess I wasn't clear enough :confused:

JohnDubya
04-04-2007, 09:07 PM
But what's the harm in using sessions? Aren't sessions easier to work with than doing queries to check the information constantly? Anyone have a link or post that really helps to understand how to check session ID's?

iLLin
04-04-2007, 09:43 PM
Thats what I'm using is sessions. It all depends on your flavor I guess. Some apps I have the only thing I store in the session is the user_id. Then bascially when I verify that id, I select * by that ID in my class I put all there info in a class variable. Then I can access all there information by that variable anytime I want.

Other apps, I cache the users information and just pull the cache file. That app is constantly requiring account info for comments, forum posts, blogs... etc so instead of cramming my queries with all these joins, I use cacheing.

But thats getting away from the topic at hand about good security practices :)

aedrin
04-04-2007, 10:33 PM
I guess I wasn't clear enough

I misunderstood the bumping. I thought you meant updating the table.


But what's the harm in using sessions? Aren't sessions easier to work with than doing queries to check the information constantly?

Sessions are fine to use. You just have to remember - and check for - that someone could in theory steal someone's session. Which is why you'd check the IP. Since in most cases the IP won't change during a session.

ole90
04-04-2007, 11:36 PM
How can someone steal someones Session?

JohnDubya
04-04-2007, 11:37 PM
Are you trying to become a l33t h@x0r, or are you just wondering? lol :D

aedrin
04-04-2007, 11:38 PM
If I manage to get a hold of your cookie (or Session ID parameter if you don't use cookies), I can set them on my machine and the website will appear as though I'm you.

ole90
04-04-2007, 11:55 PM
Yea, so it is like using a CG but instead you take the users session id...hmm. I didn't really know CG's or session stealers could be prevented, only that you can prevent the people from posting them into your site.

iLLin
04-05-2007, 05:07 PM
So as long as all the strings from my forms are escaped then the code should be pretty secure? Is there other methods to employ? Or other parts of websites that can cause it to be unsecured?

JohnDubya
04-05-2007, 06:11 PM
Yes, escaping strings makes your forms 99% secure. Of course, I'm sure there are always ways around stuff like this, but it would only be by really experienced hackers (which the chances of having one of them visit your site are next to none).

Yes, there are also other methods to use. One method I've started using is building functions that check different types of input. I use the built-in ctype_ functions to do this. For instance, if the user enters a username and password, I use ctype_alnum to make sure that the input is only alphanumeric characters; otherwise, it gives an error and doesn't proceed through the rest of the code. Also, for, let's say, how many days someone stayed somewhere, I would check the input with ctype_digit, so the input is only numbers. Then for a dollar amount, I would check it with is_numeric (to allow the user to input a period as well). That is also just as safe as escaping because nothing else can go in the string except what is allowed through those ctype_ and is_numeric functions.

CFMaBiSmAd
04-05-2007, 06:18 PM
In addition to escaping data that is supposed to have special characters (such as a name - O'Dell or text in an article - I'll spell check this when I'm "darn" ready!) so that they can be inserted in to the database as literal characters, escaping data that is put into a query helps to prevent sql injection, where quotes (and any of the other special characters) can be used to add other terms to the query to bypass things like checking passwords (per the example in the PHP manual under mysql_real_escape_string()).

Also, if the content that is placed in the database later becomes content on a web page or it is placed into an eval() function, such as template code, then HTML tags, javascript, and server side script elements would be a dangerous thing to allow.

aedrin
04-05-2007, 06:36 PM
or it is placed into an eval() function

Not using eval() is a security best practice too.

ScottInTexas
05-19-2007, 04:24 PM
Yes, escaping strings makes your forms 99% secure.

What do you mean by escaping strings?

CFMaBiSmAd
05-19-2007, 05:29 PM
http://www.php.net/magic_quotes
http://www.php.net/manual/en/function.mysql-real-escape-string.php
http://www.php.net/manual/en/function.addslashes.php



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum