[PHP] Security Measures when coding php

[sweetsam]

Please post routine security measures/procedures/code snippets/practices to make your code secure. I am reading up on this topic and would like your input on the same. Following are some steps I have picked up...

• Sanitize user input before passing on queries to database.
  
• Avoid cookies and sessions if you can as they are not very secure.
  
• Disable remote includes unless you specifically need them.
  
• Limit login attempts.
  

Thanks.

[Pc_Madness]

Avoid cookies and sessions if you can as they are not very secure.

I believe Sessions are ok, but cookies are not.

[tunafish]

Heres how i do mysql input stuff in php

		// Make a safe query
		$query = sprintf("INSERT INTO cats (`cat_name`, `cat_desc`) VALUES ('%s', '%s')",
					mysql_real_escape_string($cat_name),
					mysql_real_escape_string($cat_desc));

mysql_query($query)or die('Could not insert cats: ' . mysql_error());

Then make sure you htmlspecialchars and stripslashes stuff thats going into your database. Also make sure you isset your $_POST before you use them

[Kami-]

Good call tunafish, reminds me to go sprintf my queries... forgot that >.<

[Jerry Grey Member]

Sanitize user input before passing on queries to database.

Never trust user input, even when you are not entering it into a database.

[Mike]

Whenever use a variable, ask yourself:

1. Where is the data in the variable from?

2. Can someone else change it?

3. Can they put something i dont want in it?

[fatboyuk]

Can only echo what others have said - ANYTHING that comes from outside of your code, whether it be from another site or user input SANITIZE, SANITIZE and then SANITIZE again!

Even if you are going to do nothing with the data, make sure it cannot harm anything :)

[Kami-]

Sanitization, prevents your aggravation... keeping it safe, is your motivation... inspiration for your website coding...!

[rson451]

Sanitization, prevents your aggravation... keeping it safe, is your motivation... inspiration for your website creation...!

fixed :)

[sweetsam]

Thanks all for your input and info.

[zeroday]

Never trust the user, always suspect their intentions. Be paranoid about any data sent to the server.

[XerXis]

Heres how i do mysql input stuff in php

		// Make a safe query
		$query = sprintf("INSERT INTO cats (`cat_name`, `cat_desc`) VALUES ('%s', '%s')",
					mysql_real_escape_string($cat_name),
					mysql_real_escape_string($cat_desc));

mysql_query($query)or die('Could not insert cats: ' . mysql_error());

Then make sure you htmlspecialchars and stripslashes stuff thats going into your database. Also make sure you isset your $_POST before you use them

meh, so early 2000 ;). Use the mysqli oo extension instead of the mysql extension and you have support for parameters in queries.

[Fourjays Veteran]

One of the best ways to sanitize incoming data is to ensure it is the right format, and display a message if it isn't. So make sure a date input is in the expected date format, rather than assuming it will be. This in itself protects against injection attacks because what is entered to perform the attack obviously wouldn't be a valid date. ;)

Cookies are fine, however you have to be careful what you put in them and use them for. A hacker can easily read the contents of a cookie, so always hash it, unless it is completely useless information (ie: a timer or counter). They are easily viewable though. You wouldn't display a raw password on a web page, so you don't put it in a cookie either.

Database based session handlers are good too. If I remember correctly, they are more secure for shared web servers.

Either disable errors and use the default log, or create an error handler to hide errors from users and log them where you want them to be logged (database, file, send by email, etc). Errors often display information that could potentially be used to do harm.

For any required/included files add a line that checks for a constant at the top. If the constant doesn't exist, exit() the file. Then in the file that includes the includes, define the constant. This stops people from running individual files (not always possible, but better to be safe than sorry).

Can't remember any more at the moment. Just be paranoid though.

[Andrew Lyle Global Moderator]

You can control the security of cookies if you think outside of the box.

People can easily get a cookie editor and can control of an account on a web site that isn't set to handle secure cookies. a username is enough to take control of someone elses account