WebApp Sec mailing list archives
RE: Anyone have some basic security tips for PHP-programmers?
From: <arek () chelmnet pl>
Date: Mon, 17 Nov 2003 22:56:27 +0100
Good Night (here in Poland)
Good Morning (at least here in Nevada)
Anyone have any hints for good PHP practices (Looking for kind of a "This is one of the most common PHP security flaws" kind of thing)?
Firstly , the easiest way to enable the following lines for every .php script, or into master index.php : foreach ($_GET as $k => $v) { $_GET[$k]=addslashes($_GET[$k]); $v=addslashes($v); $v=ereg_replace(';','',$v); eval(" \$$k = \"$v\" ;"); } foreach ($_POST as $k => $v) { $_POST[$k]=addslashes($_POST[$k]); $v=addslashes($v); $v=ereg_replace(';','',$v); eval(" \$$k = \"$v\" ;"); } - this will probably tottally protect you against SQL_INJECTIONS (but you cant use ';` or others in 2 way db simply) the next good way is keeping track of openning user items on your site in that way: all of functions (object of your web) are iniciated by one function, eg : function FUNCTION_INIT() { global $this,$FUNCTION_INIT,$ARG1,$ARG1_VAL; if($FUNCTION_INIT) { if(!($_SESSION[CURRENT_FUNCTION]==$FUNCTION_INIT)) { $_SESSION[LAST_FUNCTION]=$_SESSION[CURRENT_FUNCTION]; $_SESSION[LAST1_FUNCTION]=$_SESSION[LAST_FUNCTION]; } $_SESSION[CURRENT_FUNCTION]=$FUNCTION_INIT; } if($_POST[FUNCTION_INIT]) { $_POST[FUNCTION_INIT]($ARG1,$ARG1_VAL) ; } else if($FUNCTION_INIT) { $FUNCTION_INIT($ARG1,$ARG1_VAL); } which are executed by URL: ....php?FUNCTION_INIT=show_something&ARG1=ID&ARG1_VAL=132 the main concept of that is: i keep secured, what function is accessible from what other function... you can then easily control accessing the functions. I use session_variables. remember to verify, (whe submitting) if user has permitions for access the record he wants to update/delete. You must enable in db_query function the same select, and verify that, user has clicked URL on that what he has seen on his web explorer, or he is hacking and type other ID, which he normally wouldn't see. A.Binder
Current thread:
- Anyone have some basic security tips for PHP-programmers? Matthews, Chris (Nov 14)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 20)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 20)
- Re: Anyone have some basic security tips for PHP-programmers? James Mitchell (Nov 22)
- RE: Anyone have some basic security tips for PHP-programmers? arek (Nov 18)
- <Possible follow-ups>
- Re: Anyone have some basic security tips for PHP-programmers? DownBload (Nov 18)
- RE: Anyone have some basic security tips for PHP-programmers? Keifer, Trey (Nov 18)
- Re: Anyone have some basic security tips for PHP-programmers? tim (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)
- Re: Anyone have some basic security tips for PHP-programmers? Tommy Gildseth (Nov 23)
- Re: Anyone have some basic security tips for PHP-programmers? Härnhammar , Ulf (Nov 22)