Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 19
  1. #1
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts

    Best Practices - PHP Security

    So I want to know some good, simple ways to protect my sites and the users of my sites. I have learned to use mysql_real_escape_string when putting anything into the database. With my username/passwords, I use sha1() hashes to store the passwords. Etc. etc. But I'm wondering if there are common security things that should always be done on a site that interacts with users. When I log my users in, I store the username and user_id in $_SESSION variables. Is that safe? I've heard about checking the session id as well. Is that completely necessary?

    Please address concerns like these. Ready...set...GO!

  • #2
    Regular Coder
    Join Date
    Oct 2005
    Location
    Right Here
    Posts
    654
    Thanks
    1
    Thanked 0 Times in 0 Posts
    I keep register globals off and use all superglobals such as $_POST, $_GET, $_REQUEST.

    Also when I do user authentication, i save there session info to the database in the user table for there id. I save their username and id in the session but not the password. Then every page requiring auth, I bump the id, username and session id to the table.

    Some apps I have created I also bump the IP address in the table too for more security. I also bump the browser/build as well. But the IP always sux due to proxy's/aol and what not.

  • #3
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    Quote Originally Posted by iLLin View Post
    Also when I do user authentication, i save there session info to the database in the user table for there id. I save their username and id in the session but not the password. Then every page requiring auth, I bump the id, username and session id to the table.
    How exactly do you save the session info in the DB? Do you have a column specifically for this info, or what?

  • #4
    Regular Coder
    Join Date
    Oct 2005
    Location
    Right Here
    Posts
    654
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Yes, when the session is started I verify user/pass then update with IP (some apps) and session_id, both have their own columns in the db.

    username, password, session, ip ...etc

    Then I bump it all up every page, if the ip changes, $this->error = "Ip has changed session have been destroyed, please relogin"... or w/e. If the session has expired (timed out), $this->error = "Session has expired, please relogin"; return false....

    You get the idea

    But thats just user auth I do. What do other people do and what about form injections? I escape all my strings to but what other things should we be conscious of?

  • #5
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    I have learned to use mysql_real_escape_string when putting anything into the database.
    What do other people do and what about form injections? I escape all my strings to but what other things should we be conscious of?
    Prepared statements will prevent a lot (if not all) SQL injections.

    Then I bump it all up every page
    Not for security, but I generally avoid as much DB interaction as I can. Especially writing. If you update the session ID every time a page loads, your DB is constantly updating records and could reduce stability. I'd store the initial IP that started the session in $_SESSION, and then compare on each request with the current remote address. Then if it is different do your usual thing.

  • #6
    Regular Coder
    Join Date
    Oct 2005
    Location
    Right Here
    Posts
    654
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Quote Originally Posted by aedrin View Post
    Not for security, but I generally avoid as much DB interaction as I can. Especially writing. If you update the session ID every time a page loads, your DB is constantly updating records and could reduce stability. I'd store the initial IP that started the session in $_SESSION, and then compare on each request with the current remote address. Then if it is different do your usual thing.
    Yea thats what I meant by bumping it. I don't update. Only on initial login. Then i just bump the info to the info at present and make sure its the same, if not I error out. I guess I wasn't clear enough

  • #7
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    But what's the harm in using sessions? Aren't sessions easier to work with than doing queries to check the information constantly? Anyone have a link or post that really helps to understand how to check session ID's?

  • #8
    Regular Coder
    Join Date
    Oct 2005
    Location
    Right Here
    Posts
    654
    Thanks
    1
    Thanked 0 Times in 0 Posts
    Thats what I'm using is sessions. It all depends on your flavor I guess. Some apps I have the only thing I store in the session is the user_id. Then bascially when I verify that id, I select * by that ID in my class I put all there info in a class variable. Then I can access all there information by that variable anytime I want.

    Other apps, I cache the users information and just pull the cache file. That app is constantly requiring account info for comments, forum posts, blogs... etc so instead of cramming my queries with all these joins, I use cacheing.

    But thats getting away from the topic at hand about good security practices

  • #9
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    I guess I wasn't clear enough
    I misunderstood the bumping. I thought you meant updating the table.

    But what's the harm in using sessions? Aren't sessions easier to work with than doing queries to check the information constantly?
    Sessions are fine to use. You just have to remember - and check for - that someone could in theory steal someone's session. Which is why you'd check the IP. Since in most cases the IP won't change during a session.

  • #10
    Regular Coder
    Join Date
    Jan 2007
    Posts
    217
    Thanks
    9
    Thanked 0 Times in 0 Posts
    How can someone steal someones Session?

  • #11
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    Are you trying to become a l33t h@x0r, or are you just wondering? lol

  • #12
    Senior Coder
    Join Date
    Jan 2007
    Posts
    1,648
    Thanks
    1
    Thanked 58 Times in 54 Posts
    If I manage to get a hold of your cookie (or Session ID parameter if you don't use cookies), I can set them on my machine and the website will appear as though I'm you.

  • #13
    Regular Coder
    Join Date
    Jan 2007
    Posts
    217
    Thanks
    9
    Thanked 0 Times in 0 Posts
    Yea, so it is like using a CG but instead you take the users session id...hmm. I didn't really know CG's or session stealers could be prevented, only that you can prevent the people from posting them into your site.

  • #14
    Regular Coder
    Join Date
    Oct 2005
    Location
    Right Here
    Posts
    654
    Thanks
    1
    Thanked 0 Times in 0 Posts
    So as long as all the strings from my forms are escaped then the code should be pretty secure? Is there other methods to employ? Or other parts of websites that can cause it to be unsecured?

  • #15
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    Yes, escaping strings makes your forms 99% secure. Of course, I'm sure there are always ways around stuff like this, but it would only be by really experienced hackers (which the chances of having one of them visit your site are next to none).

    Yes, there are also other methods to use. One method I've started using is building functions that check different types of input. I use the built-in ctype_ functions to do this. For instance, if the user enters a username and password, I use ctype_alnum to make sure that the input is only alphanumeric characters; otherwise, it gives an error and doesn't proceed through the rest of the code. Also, for, let's say, how many days someone stayed somewhere, I would check the input with ctype_digit, so the input is only numbers. Then for a dollar amount, I would check it with is_numeric (to allow the user to input a period as well). That is also just as safe as escaping because nothing else can go in the string except what is allowed through those ctype_ and is_numeric functions.
    Last edited by JohnDubya; 04-05-2007 at 06:21 PM.


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •