homepage Welcome to WebmasterWorld Guest from 54.211.219.68
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
Forum Library, Charter, Moderators: coopster & jatar k

PHP Server Side Scripting Forum

    
Basic security tips
mehh

5+ Year Member



 
Msg#: 3610391 posted 7:35 pm on Mar 25, 2008 (gmt 0)

I've never really paid much attention to securety in PHP so I haven't picked up on many holes. What should I be most aware of? So far the only real things I protect against are SQL injection and making sure I know what I'm
include()ing.

 

PHP_Chimp

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 3610391 posted 8:49 pm on Mar 25, 2008 (gmt 0)

As with everything security related it all depends on what data you have and what you do with it i.e. if you have credit card details then you need good security, if you dont have any information then there is little to secure ;)

Using databases means that SQL injection could be a problem, so using mysql_real_escape_string [uk2.php.net] or mysqli_real_escape_string [uk2.php.net] (the mysqli version will protect against mulitbyte character hacks, I dont believe that the mysql version does). Obviously assuming a mysql database, but the other databases have similar function, or you can write your own if you are that way inclined.
The other method would be to use prepared statements [uk2.php.net].

As you said not allowing users to decide what you include. As then you could include whatever they want you to do. This also should include you not using any of the other file functions with user supplied data i.e. fopen($_GET['file'] would not be a good thing.

If you are allowing users to enter comments then striping tags [uk2.php.net] or turning them into code [uk2.php.net] or htmlspecialchars [uk2.php.net] (< becomes &lt;), will help stop people using javascript redirects on your pages, or linking to inappropriate content.

The easiest way to secure your site is to view all user supplied information as dangerous. Then you shouldnt be tempted to allow that data to be used when it hasnt been cleaned.
The extend of that cleaning is up to you.

Steerpike

5+ Year Member



 
Msg#: 3610391 posted 2:14 pm on Mar 26, 2008 (gmt 0)


I started a post a while ago on web security that I was hoping people might continue but unfortunately it never took off. Still, the initial post should have a few good places to start for you.
[webmasterworld.com...]

Steerpike

whoisgregg

WebmasterWorld Senior Member whoisgregg us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 3610391 posted 4:58 pm on Mar 26, 2008 (gmt 0)

The best place to start:
[php.net...]

It takes the time to actually explain security in the "big picture view" and also eventually goes into detail with specific PHP code examples.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / PHP Server Side Scripting
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved