Tuesday, 23 August 2016

security - making php web application secure



to protect my project from attacks (example: SQL injection) im using the below for query
parameter pages(*.php?query=value) :



$id=strip_tags($id);
$id=mysql_real_escape_string($id);
if(is_numeric($id) && strlen($id)<=3) //id are numbers maximum of 3 digits



  • Apart from this im using client(JavaScript) & server side(php) validations, strip_tags() to filter data as required.

  • Passwords are encrypted using bcrypt()

  • All messages are encrypted using mcrypt_ecb()

  • Pages can only be accessed when isset($_SESSION["id"]) ie logged in.

  • error_reporting(0);to hide errors.

  • $_POST instead of $_REQUEST

  • mysql_real_escape_string(); for every input



actually my project will be used by college and im tensed about the security because backtrack makes it easy to penetrate, so im trying hard to make it safe. (i know it's a vast question, but any kind of help will be very useful) but as a student i want to know what else im missing to make it safe ?


Answer



Firstly:



Avoid PHP's MySQL functions like a plague



Use PHP's MySQLi functions instead at the very, very minimum or PDO instead. MySQLi and especially PDO functions, are better security-wise. But, of the two, PDOs are the best deal as they offer you higher abstraction with prepared statements which greatly increases your defense against SQL injection attacks:




Most SQL statements in PHP applications use variable input to
determine the results of the SQL statement. To pass user-supplied
input to an SQL statement safely, prepare a statement using parameter
markers (?) or named variables representing the variable input. When
you execute the prepared statement, you bind input values to the
parameter markers. The database engine ensures that each input value
is treated as a single parameter, preventing SQL injection attacks
against your application. Compared to statements issued through
PDO::exec(), prepared statements offer a performance advantage because
the database management system creates an access plan for each
prepared statement that it can reuse if the statement is reissued
subsequently.




Also, avoid using some of the older depreciated PHP functions.



Next, generally, if you're using PHP or any language that creates dynamic requests, that implies user input on some level, and most oftentimes, a subsequent interaction with the database. Rule 1 of web programming: never, ever under under any circumstances trust user input. At all. Everything entered must be cleaned, validated to avoid security problems. You can do this natively with PHP, but honestly it takes a lot of work and a lot of attention to detail - which of course, expands your development time.



If this is not an academic exercise or one dealing with self-training - try to use a framework if you can - it potentially can save you many headaches later down the road as good frameworks can take care of some of the overhead of dealing with escapes, validation and the like. What that means is that if you go commando and write your own code with no framework: most, if not all of the functionality you'll be implementing would be done for you and chances are - done better in a framework.



Plus, they make PHP development easier, and occasionally, fun. Of course, not all frameworks are created equal, and all frameworks have security issues, too. But, this is something you will have to keep in mind and keep yourself informed at all times, religiously.



If this is an academic exercise, or a self-learning one, read this:



Reasons to NOT use a PHP Framework?



A lot of the top StackOverflow PHP posts and Programmers.StackExchange posts can help you with your journey.



Here's a few to start with:



(This one's more of an overview of what most of these links discuss)





Read up on security practices in your field. It's ever evolving.



If you're interested in frameworks, here are a few of the popular ones to pique your interest:





But, either way - good luck!


No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...