Security tips for a newbie!

Ok hopefully this thread won't be too long else I really will be in trouble...

As you know I've been putting my pages together bit by bit but to be honest I've left the main security things out, not sure why exactly, probably because I've wanted to concentrate on learning the basics I guess - and I know some of you would probably argue these are the basics lol!!

Anyhow this is the stage I'm at now, various people have mentioned things like sql injection and hijacking etc etc.

Can you give tips on making my db secure;

Here are a few 'I think' are correct:

1. Use msql_real_escape_string whenever getting variables to a page??

2. Always validating anything the user enters!

Any more...?(and of course an explanation would be really helpful) :thumb:

you only need to use mysql_real_escape_string() if you're using a user's input to query a database, this will prevent SQL injection. the PHP manual documents how it works well (link).

the biggest rule I give myself when building a website that will be used by many people, is that you should never trust what a user gives for input.

encrypt all of the passwords you're storing in a database with an algorithm like md5. this way, if for some reason your database IS compromised, they won't have a list of plain-text passwords.

one last thing from me: if someone shouldn't be able to do something, don't let them do it. basically, this just means if you're not logged in, you shouldn't be letting them view any pages that require you to be logged in... so, whatever your "auth.php" is, that you decide to include on every page to authenticate your users, make sure it will exit a user out if someone is trying to visit a page they shouldn't be when they're not logged in.

Don't escape anything, use a proper data access library that supports parameterised queries and you don't have to worry about any chance of SQL injection.

Quote:

---

use a proper data access library that supports parameterised queries and you don't have to worry about any chance of SQL injection

---

Can you give examples of this or how it could be used? I assume you mean there are better alternatives to my-sql-real-escape???

Quote:

---

Originally Posted by me

Parameterised queries use placeholders in the query, rather than concatenating or embedding values directly into it. The values are then passed separately to the query - hence 'parameterised'.

For example:

PHP Code:

---

$stmt = $dbh->prepare('insert into employees (name, age) values (?, ?)');
$stmt->execute("Patrick O'Reilly", 52); 


---

That also happens to be a prepared statement, in that the query is only parsed by the DBMS once and not each time it is executed.

As you can see, there is no need to escape the apostrophe in O'Reilly, as it is not inserted into the query at all.

---

Prepared statements are supported by PDO (PHP 5, multi-DB), PEAR::MDB2 (PHP 4, multi-DB), mysqli (PHP 4, 5, MySQL only), et. al. These are far superior alternatives to any of the mysql_* functions.

As a slight aside, for a tool that is so commonly used for data access, PHP was until recently suprisingly poor at it.

Hmmm, little confused by usage of mysql_real_escape_string (I've looked at the PHP manual..) - is it right that it should only be used with GET and POST variables passed to a page?

Code:

---

eg. instead of:

$_GET['bookmarkid'];

I should use:

mysql_real_escape_string($_GET['bookmarkid']);

---

Is that right?

Also how does it work with COOKIES or SESSION? Should I do the same thing with those? And do I need to use that everywhere in the script or just once (for instance at the top?)

you should define it as a variable if it exists. you only need to do it once.

PHP Code:

---

<?php
  $bookmark = (isset($_GET['bookmarkid']) && $_GET['bookmarkid'] != "") ? mysql_real_escape_string($_GET['bookmarkid']) : '';
  //the variable $bookmark is now safe to use in any queries you might have.
?>

---

depending on what will be in the session variable, it will be a good idea to do this before querying the database looking for authentication via your session's username or whatever. so, in your authentication script you should escape your session username (if you allow quotes in your username, basically), and possibly the hash as well, before querying the database to see if that username even exists.

Thanks for that - I sorted it out and I'm testing things, everything seems to work ok :)

I am now looking at validation checking with both PHP and JS. The first thing is going to be with PHP and I've found this here: http://www.askbee.net/articles/php/S...injection.html

And from there I found this http://pear.php.net/package/Validate

Just wondered if anyone has used this or thinks it worth using it? Is there a better/simpler way ??

Quote:

---

Originally Posted by wwwfilmfilercom

Hmmm, little confused by usage of mysql_real_escape_string (I've looked at the PHP manual..) - is it right that it should only be used with GET and POST variables passed to a page?

Code:

---

eg. instead of:

$_GET['bookmarkid'];

I should use:

mysql_real_escape_string($_GET['bookmarkid']);

---

Is that right?

Also how does it work with COOKIES or SESSION? Should I do the same thing with those? And do I need to use that everywhere in the script or just once (for instance at the top?)

---

No, you're not listening. Don't use any function to escape strings. Read my post again.

Hmmm, I see what you say above penagate but it's making me confused - are you saying NOT to use mysql-real-escape-string and instead use PDO/Pear??

Quote:

---

Don't use any function to escape strings.

---

Ok well mysql-real-escape-string IS a function so your saying not to use it to escape strings? I'm just not sure what this is referring to... can you clarify for someone who just doesn't know..

Quote:

---

Hmmm, I see what you say above penagate but it's making me confused - are you saying NOT to use mysql-real-escape-string and instead use PDO/Pear??

---

Yes!

Escaping is not bulletproof, one day you WILL slip up and forget and then bam! you have a security hole. Much smarter to avoid that chance.

Right - just that I have also read and been told that I should do both: use escaping and of course the method you describe...PDO/Pear. I mean thats what I was going to do anyway....

No.

Escaping parameterised queries is silly because you will end up with slash characters in your database. This is pointless.

Escaping strings is only necessary when those strings are inserted directly in to the SQL query - so that the query syntax cannot be broken (either involuntarily or maliciously). With parameterised queries the values are not inserted into the SQL, they are passed separately so there is no chance of breaking the query at all.

O dam! I just ended up putting that in every page - o maaaaaaaaan!

Ok please penagate, for the sake of getting things right, just advise me the steps to take to get things secure....

1 - Shall I get rid of ALL mysql-real-escape-string statements???
2 - Should I go ahead with integrating that Pear validate function thing?
3 - Is there anything else to do?

I have never used PEAR::Validate - so you are on your own there. It sounds good, I will have to check it out sometime.

1. Yes - as long as you use either PDO, PEAR::MDB2, mysqli, or some other data access library that supports prepared statments. Bear in mind that not all hosts support PDO or PEAR so if you are building a portable application you will have to support multiple data access libraries - that is why people build data access abstraction layers in their applications. Of course, if it's just for your personal site, don't worry about it.

2. If you want and it works for your needs, go for it.

3. Now that SQL injection is taken care of, another thing to watch for is cross-site scripting (XSS).
The main way to deal with this is to make sure you sanitise all data output by using functions like htmlentities(), if you have something like a comment system this ensures that people cannot post rogue HTML and client-side scripts. Unlike with SQL injection there is no bulletproof way that I know of to take care of this, you just have to remember to always use htmlentities() on data outputted into HTML or XML documents. If you use any form of template system, this is easened considerably as you can put the HTML sanitisation in one place, where you assign template variables.

Thanks for sorting all that out;

I guess its time for me to get to getting rid of those statements lol!

After looking around through countless things and checking with what my host provide I have now gone to working the mysqli!!!!