I wanted to make a new php web application and if I follow the following things, it my site then safe?
- Escape user input ($_GET && $_POST) with addslashes
- Make prepared statements with PDO
- Check user input for the right type (e.g. int or string)
views:
67answers:
2
+6
A:
Security is not something that can be bolted on - it's a constant process of improvement.
- Using
addslasheswill not help you - you need to be escaping the output withhtmlentities. - Using prepared statement with PDO is good.
- Checking the user input for type is not enough - you need to check it way better. If you expect an email adress check for it, don't assume that if you've got a string it fine.
There are many more things to consider for security like XSS, CSRF...
If you can get the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. It's full of useful advices.
And, I'll say it again - security is not a feature - it's a measurement. There is not 100% secure application (or anything actually). The assumption of security is to make breaking it more expensive than what's behind it - if your site is dealing with money - you need more security - if you are dealing with giftcards - you might get away even without doing the things you suggested (which will be a very bad idea, but still).
Emil Ivanov
2010-01-31 22:41:58
Hmm... 29% accept rate, plus that fact that I told you that you need more work and there is no hard-and-fast solution - may I should have used the time to write this post for something else... Just a thought...
Emil Ivanov
2010-01-31 22:46:45
Posting links to free information is more helpful. This is a fairly generic question.
Rook
2010-02-01 04:51:12
@Emil Ivanov Why use bitly for your link. It makes it impossible to tell where the link is going to send me.
chollida
2010-02-03 20:08:15
Oh, I see. It was so you could put your own link code into the bit.ly link. sneaky:)
chollida
2010-02-03 20:09:22
@chollida: hehe, got me :)
Emil Ivanov
2010-02-03 20:52:04
+1
A:
Unfortunately there is a lot that can go wrong with web application secuirty. I recommend reading the OWASP Top 10. Also, make sure to read #5 XSRF.
"escaping" input doesn't say very much. Data can be used in many different insecure ways. For instance the best way to prevent xss for PHP is:
htmlspecialchars($_GET['var'],ENT_QUOTES);
A good way to prevent sql injection for msyql is:
mysql_query("select * from mysql.user where id='".mysql_real_escape_string($id)."'");
Make sure you put the quote marks around all variables, or the query will be vulnerable to sql injection. But a more bullet proof approach is using parametrized queries (adodb, pdo...). But xss and sql injection is only the tip of the ice burg, a whole lot more can go wrong with php. I recommend reading the FREE paper A Study in Scarlet for specifically PHP security pitfalls.
Rook
2010-02-01 04:40:19