Welcome to WebmasterWorld Guest from 54.226.2.31

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Secure web application checklist

     

enotalone

3:06 pm on Feb 24, 2007 (gmt 0)

10+ Year Member



For the last few weeks I have been working on a project that when live will rely heavily on user input. Now that the database and most of php backend is ready my focus is on user input vs security.

What measures do you take to before inserting a record into database to eliminate sql injections and other potential security hazards?

1.strip_tags : seems this will take care of removing html, php tags, but wouldn’t remove things like javascript?
2.better yet perhaps remove everything between any < and >
3.including sql statements into text input: how would you detect a sql presence in a text?

What other dangers can be present in text input? How do you deal with them? what is your php/mysql checklist?

There must be a php class doing this already, if you know one what is it?

jatar_k

3:18 pm on Feb 24, 2007 (gmt 0)

WebmasterWorld Administrator jatar_k is a WebmasterWorld Top Contributor of All Time 10+ Year Member



also make sure you check lengths and watch for possible buffer overflow

I usually trim, strip_tags and mysql_real_escape_string

you can do a strip for everything between <script and </script>

You can have an allowed set of chars as well, that all depends on understanding what data would be "normal" for your application

>> perhaps remove everything between any < and >

watch that one as I just used those chars properly above. If you were expecting people to submit mathematical equations or code then that would also be a problem

the big thing is to have your standard safeguards, then to profile your expected input, what will users be submitting, and then see if you can have extra rules

I don't actually believe in cleaning data. I validate it, if it doesn't pass then you throw it back to the user to correct. There isn't much point in trying to correct their mistakes, let them do it. It helps to educate them as well.

also don't be overly verbose in your error messages, tell them what they need to know but don't give too much info in case you give a potential hacker extra info.

I also like to log all failures, it helps me to see what my script is doing and helps me better profile what may, or may not, need to be done.

enotalone

3:35 pm on Feb 24, 2007 (gmt 0)

10+ Year Member



Jatar thanks a lot, the reply was very helpful I specially never thought about not giving up too much information back to user during validation.

I will also implement mysql_real_escape_string.

 

Featured Threads

Hot Threads This Week

Hot Threads This Month