homepage Welcome to WebmasterWorld Guest from 54.196.197.153
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Visit PubCon.com
Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Secure web application checklist
enotalone




msg:3262663
 3:06 pm on Feb 24, 2007 (gmt 0)

For the last few weeks I have been working on a project that when live will rely heavily on user input. Now that the database and most of php backend is ready my focus is on user input vs security.

What measures do you take to before inserting a record into database to eliminate sql injections and other potential security hazards?

1.strip_tags : seems this will take care of removing html, php tags, but wouldn’t remove things like javascript?
2.better yet perhaps remove everything between any < and >
3.including sql statements into text input: how would you detect a sql presence in a text?

What other dangers can be present in text input? How do you deal with them? what is your php/mysql checklist?

There must be a php class doing this already, if you know one what is it?

 

jatar_k




msg:3262667
 3:18 pm on Feb 24, 2007 (gmt 0)

also make sure you check lengths and watch for possible buffer overflow

I usually trim, strip_tags and mysql_real_escape_string

you can do a strip for everything between <script and </script>

You can have an allowed set of chars as well, that all depends on understanding what data would be "normal" for your application

>> perhaps remove everything between any < and >

watch that one as I just used those chars properly above. If you were expecting people to submit mathematical equations or code then that would also be a problem

the big thing is to have your standard safeguards, then to profile your expected input, what will users be submitting, and then see if you can have extra rules

I don't actually believe in cleaning data. I validate it, if it doesn't pass then you throw it back to the user to correct. There isn't much point in trying to correct their mistakes, let them do it. It helps to educate them as well.

also don't be overly verbose in your error messages, tell them what they need to know but don't give too much info in case you give a potential hacker extra info.

I also like to log all failures, it helps me to see what my script is doing and helps me better profile what may, or may not, need to be done.

enotalone




msg:3262679
 3:35 pm on Feb 24, 2007 (gmt 0)

Jatar thanks a lot, the reply was very helpful I specially never thought about not giving up too much information back to user during validation.

I will also implement mysql_real_escape_string.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved