Re: [PHP] Security: PHP: how to "harden" PHP scripts?
Justin French wrote: > This list really does work best (ie best results for you) if you come to us > with a specific problem, rather than something general. I totally agree. Sorry to have asked such a wide question but in this case it is a bit of a chicken-or-the-egg situation. To make your scripts secure you need to make sure they no insecure programming practices. But how do you find out what insecure programming practices are? You only find out after someone exploits it. If I knew that someone can use a PHP session to somehow run malicious scripts on my server than I would do a search on Google for "PHP session security advisory" or something like that and find out how to secure my scripts against this. But I'd have to know in the first place that such a security problem exists with sessions. I guess what I am looking for is a kind of "best practices for security" list for PHP programming. Do's and Don't, or a list of common pitfalls and how to avoid them. Can anyone point me to such a list or tutorial? Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security: PHP: how to "harden" PHP scripts?
Chris Shiflett wrote: > Jean-Christian Imbeault wrote: >> In general how does one go about hardening a PHP script. i.e. making >> it as "hacker-proof" as possible There is no such thing as a 100% secure solution (this applies to everything running on a computer, PHP included). But basically you can make it pretty secure. Then again, quite a lot depends on what you are going to write. Govt/Banks need much more defense than a small/midsized commercial site (and are capable to pay for it). You can basically be happy with some care in you development, just make sure your customers do understand the amount of time this is going to take and are ready to pay for it. Then let them decide themselves, but if you see they choose a risky path in order to save budget money do write them a formal letter, in which you acknowledge the problem. Many customers do not think they need security until it's too late, then they get mad at you because they did not want to buy the extra time for secure coding. So make sure everyone knows what their responsibility are and make sure this is stated on paper. > 1. Never, ever trust data from the client That's it. If you leave Register_globals off you will be sure you get only what you need to get. Then, of course, you shall control data content. As I am sure you know yourself most of the trouble will come from uncorrect data input. You might actually write client-side javascript controls to avoid uncorrect input and then think that your data are clean. This is where most of the problems come from (as Chris points out, it's not difficult to post a form to your script after writing it at home, or just do a plain command line call with altered parameters from a user browser, I see that stuff on our customers logs quite often). So, no matter what you checked on the client, check it again on the server (even if you are not paranoid, some users may just have disabled their javascript, right?) > Basically, if you code very carefully and deliberately, you will create > a very secure application. Many people focus only on securing the > environment, but writing secure code is often much more important. Words of wisdom! and actually about 75% of the code you write is dedicated to this very job, if you really want to get a stable application. Alberto Kiev -- @-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@-_=}{=_-@ LoRd, CaN yOu HeAr Me, LiKe I'm HeArInG yOu? lOrD i'M sHiNiNg... YoU kNoW I AlMoSt LoSt My MiNd, BuT nOw I'm HoMe AnD fReE tHe TeSt, YeS iT iS ThE tEsT, yEs It Is tHe TeSt, YeS iT iS ThE tEsT, yEs It Is... -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security: PHP: how to "harden" PHP scripts?
Jean-Christian Imbeault wrote: > I'm writing my first commercial site and of course I am thinking about > security. I'm worried about someone using a flaw in my PHP script > logic to access information they shouldn't. > > I've read the PHP books I have and Googled around but can't quite find > specific answers to my questions about PHP and security. > > In general how does one go about hardening a PHP script. i.e. making > it as "hacker-proof" as possible I'm sure you'll get a lot of responses to this including various opinions, so this will be short and a bit vague. The most important thing you can do as a developer is: 1. Never, ever trust data from the client That is the main thing you should focus on. There are many different methods of "cleaning" or "filtering" data from the client, and all of these have these key characteristics: 1. They make sure the data contains acceptable characters (rather than attempting to make sure it does *not* contain unacceptable characters - very important distinction). 2. They employ a strict naming convention that clearly identifies which data has/has not been filtered. For example, assign $clean_blah=$blah when you have found $blah to be acceptable. In order for this to be useful, you should never accept any data from the client that has a name beginning with "clean_", and you should only use the clean variables in queries or logical statements that affect access or any other critical function. Along these lines, you should never make any assumptions in your scripts. For example, if you have a variable that can only have three possible values, don't do [if, elseif, else], rather do [if, elseif, elseif]. Also, make sure you intialize all variables you are depending on. In adhering to the golden rule mentioned above (Never, ever trust data from the client), you need to make sure you don't accidentally accept data from the client and think it is something that you set. People might try to include rogue variables in the URL, post their own forms to various URLs in your application, etc. Basically, if you code very carefully and deliberately, you will create a very secure application. Many people focus only on securing the environment, but writing secure code is often much more important. Hope that helps give you some ideas. Chris -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] Security: PHP: how to "harden" PHP scripts?
on 03/07/02 11:36 PM, Jean-Christian Imbeault ([EMAIL PROTECTED]) wrote: > In general how does one go about hardening a PHP script. i.e. making it > as "hacker-proof" as possible. General things like: I think the general answer is "you can't", but you can make it more secure. > - verifying user inputted data "verify user inputted data" means nothing... you should take a specific example, like "make sure a text box is less than 500 words, contains only & tags, and starts with a capital letter", and then let us help you solve it. Obviously verifying a date is different to a password, verifying that a certain select box was selected is different from making sure that their phone number contains only numbers, etc etc. The string functions will do most of this for you with very little effort. empty(), isset(), strlen(), is_int(), is_str(), strip_tags(), ereg() & eregi() and many others will all help, but you need to approach them one at a time. You should also be concerned about character sets. If you wanna get anal about it, you should be using register_globals OFF in your php.ini file, and should be treating any $_GET var as unsafe, and same with all other such variables (cookies, sessions, post, etc) > - not putting clear-text passwords in php scripts A thread started in here about two weeks back with the subject "Keeping "Secrets" in PHP Files"... you should read that end-to-end... HEAPS of infomation. > - use "safe-mode"? I have no idea about safe mode. This list really does work best (ie best results for you) if you come to us with a specific problem, rather than something general. Justin French -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
[PHP] Security: PHP: how to "harden" PHP scripts?
I'm writing my first commercial site and of course I am thinking about security. I'm worried about someone using a flaw in my PHP script logic to access information they shouldn't. I've read the PHP books I have and Googled around but can't quite find specific answers to my questions about PHP and security. In general how does one go about hardening a PHP script. i.e. making it as "hacker-proof" as possible. General things like: - verifying user inputted data - not putting clear-text passwords in php scripts - use "safe-mode"? And specifically, what are some things one can do? Things like: - use addslashes with user data - use mysql_escape_string for data submitted to mysql Thanks, Jc -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php