×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Security Checklist for PHP application

Security Checklist for PHP application

Security Checklist for PHP application

(OP)
This is what I have in place:
(1) MySQL Database
(2) User must log in
(3) Ajax calls to validate all form submissions
(4) POST method
(5) Each time ajax call is made, $_SESSION is referenced to validate user
(6) JQuery is used as front end
(7) DB name, host, user and password is kept in a PHP script which is included as needed
(8) I am using a "procedural" approach to interact with Database
(9) I use mysqli
(10) Every DB query uses mysqli_real_escape_string()
(11) I use $_POST values in mysqli_real_escape_string()
(12) I escape every form input prior to sending data to PHP

CODE

var param='name='+escape( $('#name').val() ); 
(13) PHP sends data back in JSON or plain text with a predetermined field separator which I then reference to "split" the returned data

CODE

var response=ajax_response.split('~'); 
(14) Site where application is based, will use SSL
(15) pending to incorporate use of strip_tag() in DB queries

What am I missing? Where am I exposed? How can I test and make sure I'm secured?

Thank you all for reading through this lengthly post and for your continuous help!


--
SouthBeach
http://www.fp2php.com
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

RE: Security Checklist for PHP application

(9) Rather that mysqli, I would recommend PDO. Parameterized queries handle any escaping you might need, and are awesome. Another plus is if you decide to change databases, PDO can usually adapt (assuming the appropriate DB drivers/modules are install on the server).

(10, 11) I would not use $_POST values directly as parameters to your queries, while good mysqli_real_escape_string should not be your only form of sanitization.

(11.A) Numbers should be validated as being numeric (I like to use ctype_digit for positive integers), emails as email addresses (regex), etc...

(13) Stick to JSON, you'll probably run in to edge cases using a split method (if not now, in the future). JSON is pretty well established, and both PHP and JavaScript can handle it well.

For the extra security cautious:
(7) A special user should be created just for this website, with only the access it needs (SELECT, INSERT, UPDATE, and DELETE - nothing else). If you need your site to be able to create the database, more is OK, just remember to revoke permissions afterward.

RE: Security Checklist for PHP application

(OP)
Thank Borvik!

It seems that I'm not doing all that bad!!!! winky smile

I am having issues with edge ... where users cannot log on - Good to know that this is due to the split() method.



--
SouthBeach
http://www.fp2php.com
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

RE: Security Checklist for PHP application

NP. I can't say for certain your login issues are related to the split() - but if you were able to confirm that, glad I was able to help.

RE: Security Checklist for PHP application

(OP)
it is the only browser that fails.

I do not have MSW 10 and so have not been able to test but it has been reported.

--
SouthBeach
http://www.fp2php.com
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close