A bit on PHP security
PHP really is a smashing language, allowing you to knock out rich applications quickly and easily. As anyone with half a brain will realise though, giving power to people that don’t have a clue is a recipe for a disaster.
This is by no means a comprehensive list, but here are some common security issues that I have encountered with some simple fixes.
1. Use mysql_real_escape_string()
SQL injection can be a big problem, but it is easily defeated. Validating every input into your web application is a must, whether it comes from $_POST or $_GET. If it passes this validation then you should wrap mysql_real_escape_string() around the variable to escape dangerous characters. For example:
$query = “SELECT id FROM logins WHERE username=’”.mysql_real_escape_string($_POST['username']).”‘ AND password=’”.mysql_real_escape_string($_POST['password']).”‘”;
2. XSS protection
Cross site scripting is a real danger, but is something that can be protected against without too much work. Simply remove HTML / Javascript tags from any input by using str_replace or an equivalent. I find that I only need to worry about this when dealing with textareas, because text fields are usually a lot more locked down to the type of data that needs to go into them.
3.URL Manipulation
Web applications typically pass information through URLs. Consider the following link:
view_personal_info.php?my_user_id=123
In this example I think we can probably take “my_user_id” to be my id on the system. So what happens when I go to the URL with id 124 or 125? Will I get information on other users? Probably, and that’s why on every page you need to check that the current logged in user has the correct access to view the information.
This isn’t hard to do, so I’m not going to explain the solution here. However, if you’re passing a lot of information through a URL and want to make sure it’s not tampered with, then there’s a straightforward way to achieve this. Creating a hash of the data with a password only the application knows, passing it in the urlĀ and revalidating it on the target page works a treat.
4. Use forms, not links
I’m guilty of having done this once or twice, mainly due to ignorance, but when you’re doing any database modification it should always happen through a form, not a link. Otherwise people can craft links to pages like delete and trick you into clicking on them. If the pages aren’t properly password protected, then it’s also possible that search engines can crawl your site and wreck your database.
5. Other
There are plenty of other little tweaks you can make to your PHP configuration to improve security, depending on what you’re doing and how locked down you want your server to be. Two little things I do when putting code on a live site are turning error messages off, and moving pages that don’t need to be read directly outside of public_html.
I think the hardest thing about PHP and web application security in general is the range of scope for attack. Every input has to be validated, and in a big application this can be easily overlooked. Unfortunately, it only takes one error to bring your entire application down.