tags:

views:

174

answers:

3
+1  Q: 

Guide for securing an ajax php webapp

Hello,

I have a small AJAX application, written in PHP that I did not secure from the start. I would like some recommendations on how to now secure the app, things to implement and check for. I have not found any exhaustive guides on google, and hope that some can be recommended.

It is a small application that connects to and displays records from a mysql database. It is not using any external libraries.

I am unsure about how to protect on passing in variables, such as:

if (isset($_GET["cmd"]))
  $cmd = $_GET["cmd"];

Should I simply declare $cmd to something before check isset?

A: 

You're looking for the ultimate security manual? Send me a copy when you find it!

The short checklist:

  • SQL vunerabilities?
  • Validate your $_GET and $_POST inputs, and remove anything funny
  • Lose the get_magic_quotes_gpc() (or whatever it's called)

And of course everything your sys-admin is supposed to do:

  • latest version of PHP
  • up to date version of MySQL

I'm not sure having no external components makes you more secure automaticly. I use ADODB for PHP, to handle all my SQL stuff. I know it checks for vunerabilities, so I do not have to do it.

Gerrit  2009-01-15 12:23:41
+2  A: 

If you are talking about securing the app (as opposed to the server/ environment it is on - which I am not really qualified to address) then I would consider the following:

  1. Ensure any user inputs are parsed/cleaned to ensure they can't do things such as SQL injection attacks. This includes any ajax requests where the user input can be stored on the query string. In fact anything passed into the app from the query string should be validated/cleaned in this manner.
  2. Do you use any passwords? If so use SSL to stop any packet sniffing. And hash your passwords in your database with a salt
  3. A quick Google dug up this which looks pretty good: http://www.securityfocus.com/infocus/1706
  4. Some tips on securing user input http://www.dagondesign.com/articles/writing-secure-php-scripts-part-1/
DanSingerman  2009-01-15 12:29:07
+1  A: 

The most important rule when handling user input is: Validate input, escape output.

Gumbo  2009-01-15 12:29:25

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases