Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 5 of 5

Thread: php security

  1. #1
    Regular Coder
    Join Date
    Jun 2010
    Location
    Earth
    Posts
    305
    Thanks
    27
    Thanked 2 Times in 2 Posts

    php security

    I am trying to learn security for php and right now I am just working on input from forms and outputing that data.

    I was going to use mysql_escape stuff but in my research it looks like bound parameters may be better? Is that correct?

    I've been reading a lot of sites on this and they are pretty confusing so I want to make sure I am heading in the right direction.

  • #2
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    If you have it, use mysqli or pdo and use bound parameters without any additional escaping (including magic_quotes so strip them off). The structure of the query is pre-compiled so you cannot introduce an injection into a prepared statement.

  • Users who have thanked Fou-Lu for this post:

    harkly (04-25-2012)

  • #3
    Master Coder felgall's Avatar
    Join Date
    Sep 2005
    Location
    Sydney, Australia
    Posts
    6,640
    Thanks
    0
    Thanked 649 Times in 639 Posts
    The best way to secure data is to validate it. When you first read in the data you should check that the information in the field makes sense for what the field should contain. If it is supposed to be a number then test with is_numeric(), if it is supposed to be an email address then use the email validation filter - http://au.php.net/manual/en/filter.filters.validate.php - and if there is no function or filter available to validate the field for what it is allowed to contain then write your own validation routine (probably using regular expressions).

    Doing that will mean that you will not be processing garbage regardless of how harmless the garbage might be.

    If your data is always validated then the only remaining risk is where the data can validly contain something that looks like code. That's where escaping comes in. While it is possible to keep the data completely separate from the code for SQL queries by using prepare/bind with mysqli or PDO and therefore make it impossible for the data and code to be confused, the same is NOT possible if you are outputting data in HTML. The only option in those situations is to escape the data immediately before outputting it - for HTML use htmlspecialchars() to convert the values in the data that can be confused with HTML tags into their HTML entity codes.

    When you read data back in from the database you should sanitize it (similar to validation but doesn't produce error messages, just strips out anything invalid) just in case someone has tampered with the stored data so that it is no longer valid (eg. you might have made a typo when manually updating the database).

    A good book on PHP security is "Essential PHP Security", an O'Reilly book written by Chris Shifflett - http://shop.oreilly.com/product/9780596006563.do
    Stephen
    Learn Modern JavaScript - http://javascriptexample.net/
    Helping others to solve their computer problem at http://www.felgall.com/

    Don't forget to start your JavaScript code with "use strict"; which makes it easier to find errors in your code.

  • Users who have thanked felgall for this post:

    harkly (04-25-2012)

  • #4
    Regular Coder
    Join Date
    Jun 2010
    Location
    Earth
    Posts
    305
    Thanks
    27
    Thanked 2 Times in 2 Posts
    Thanks for the info! I have already ordered the book and wanted to get started while I was waiting for it.

    So in a nut shell what I need to do is

    1. Validate or sanitize any data received before sending to the DB
    2. Use prepared or bound statements to insert/update and query
    3. Then sanitize all DB data that is to be displayed on the web page by using htmlspecialchars()

    I may have over simplied it but things work out easier for me if I start with the extreme basics and build up

    felgall - I will be using your site for reference - thanks!

  • #5
    God Emperor Fou-Lu's Avatar
    Join Date
    Sep 2002
    Location
    Saskatoon, Saskatchewan
    Posts
    16,987
    Thanks
    4
    Thanked 2,660 Times in 2,629 Posts
    1. Correct.
    2. Correct.
    3. Maybe. Depends if the data is supposed to be text or html. Escape it if its text like on a forum here, leave it intact if its a template.

    Don't forget to stripslashes if you have magic_quotes_gpc on. This is vital if you bind, otherwise it will show with the escapes.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •