So I want to know some good, simple ways to protect my sites and the users of my sites. I have learned to use mysql_real_escape_string when putting anything into the database. With my username/passwords, I use sha1() hashes to store the passwords. Etc. etc. But I'm wondering if there are common security things that should always be done on a site that interacts with users. When I log my users in, I store the username and user_id in $_SESSION variables. Is that safe? I've heard about checking the session id as well. Is that completely necessary?
Please address concerns like these. Ready...set...GO!
I keep register globals off and use all superglobals such as $_POST, $_GET, $_REQUEST.
Also when I do user authentication, i save there session info to the database in the user table for there id. I save their username and id in the session but not the password. Then every page requiring auth, I bump the id, username and session id to the table.
Some apps I have created I also bump the IP address in the table too for more security. I also bump the browser/build as well. But the IP always sux due to proxy's/aol and what not.
Also when I do user authentication, i save there session info to the database in the user table for there id. I save their username and id in the session but not the password. Then every page requiring auth, I bump the id, username and session id to the table.
How exactly do you save the session info in the DB? Do you have a column specifically for this info, or what?
Yes, when the session is started I verify user/pass then update with IP (some apps) and session_id, both have their own columns in the db.
username, password, session, ip ...etc
Then I bump it all up every page, if the ip changes, $this->error = "Ip has changed session have been destroyed, please relogin"... or w/e. If the session has expired (timed out), $this->error = "Session has expired, please relogin"; return false....
You get the idea
But thats just user auth I do. What do other people do and what about form injections? I escape all my strings to but what other things should we be conscious of?
I have learned to use mysql_real_escape_string when putting anything into the database.
Quote:
What do other people do and what about form injections? I escape all my strings to but what other things should we be conscious of?
Prepared statements will prevent a lot (if not all) SQL injections.
Quote:
Then I bump it all up every page
Not for security, but I generally avoid as much DB interaction as I can. Especially writing. If you update the session ID every time a page loads, your DB is constantly updating records and could reduce stability. I'd store the initial IP that started the session in $_SESSION, and then compare on each request with the current remote address. Then if it is different do your usual thing.
Not for security, but I generally avoid as much DB interaction as I can. Especially writing. If you update the session ID every time a page loads, your DB is constantly updating records and could reduce stability. I'd store the initial IP that started the session in $_SESSION, and then compare on each request with the current remote address. Then if it is different do your usual thing.
Yea thats what I meant by bumping it. I don't update. Only on initial login. Then i just bump the info to the info at present and make sure its the same, if not I error out. I guess I wasn't clear enough
But what's the harm in using sessions? Aren't sessions easier to work with than doing queries to check the information constantly? Anyone have a link or post that really helps to understand how to check session ID's?
Thats what I'm using is sessions. It all depends on your flavor I guess. Some apps I have the only thing I store in the session is the user_id. Then bascially when I verify that id, I select * by that ID in my class I put all there info in a class variable. Then I can access all there information by that variable anytime I want.
Other apps, I cache the users information and just pull the cache file. That app is constantly requiring account info for comments, forum posts, blogs... etc so instead of cramming my queries with all these joins, I use cacheing.
But thats getting away from the topic at hand about good security practices
I misunderstood the bumping. I thought you meant updating the table.
Quote:
But what's the harm in using sessions? Aren't sessions easier to work with than doing queries to check the information constantly?
Sessions are fine to use. You just have to remember - and check for - that someone could in theory steal someone's session. Which is why you'd check the IP. Since in most cases the IP won't change during a session.
If I manage to get a hold of your cookie (or Session ID parameter if you don't use cookies), I can set them on my machine and the website will appear as though I'm you.
Yea, so it is like using a CG but instead you take the users session id...hmm. I didn't really know CG's or session stealers could be prevented, only that you can prevent the people from posting them into your site.
So as long as all the strings from my forms are escaped then the code should be pretty secure? Is there other methods to employ? Or other parts of websites that can cause it to be unsecured?
Yes, escaping strings makes your forms 99% secure. Of course, I'm sure there are always ways around stuff like this, but it would only be by really experienced hackers (which the chances of having one of them visit your site are next to none).
Yes, there are also other methods to use. One method I've started using is building functions that check different types of input. I use the built-in ctype_ functions to do this. For instance, if the user enters a username and password, I use ctype_alnum to make sure that the input is only alphanumeric characters; otherwise, it gives an error and doesn't proceed through the rest of the code. Also, for, let's say, how many days someone stayed somewhere, I would check the input with ctype_digit, so the input is only numbers. Then for a dollar amount, I would check it with is_numeric (to allow the user to input a period as well). That is also just as safe as escaping because nothing else can go in the string except what is allowed through those ctype_ and is_numeric functions.
Before you post, read our: 
