You know what really grinds my gears? Reading “PHP Security” articles on the internet and discovering nothing but crap in them. I keep seeing people attempting to work around register_globals, or using regular expressions to attempt to filter data that they should merely be escaping.
The only good source I’ve seen is Chris Shiflett, and this is probably going to be the same as what he says:
- Disable
register_globals - Disable all
magic_quotes(or include astripslashes()in your input filtering process) - Filter all input (regexes are ok for this) to bring it into a “pure” state
- Escape all output that can be traced back to user input, so malicious input cannot alter the syntactical structure of the output
- SQL querys are output
- HTML is output
- Shell execution is output
- Use SafeHTML if you really need to allow HTML syntax… but realize that you’re still not guaranteed to be safe and design your application to be minimally dangerous when compromised
- Enable
error_reporting(E_ALL)(E_STRICTtoo, if you’re using PHP5 exclusively) - Log errors internally instead of printing them for production servers
- Define all variables before use
- Don’t store sensitive information or logic client-side
- Cookies can be hijacked
- Javascript validation must be considered optional, and supported by server-side validation.
- Be aware of character encodingsĀ
htmlentities()et al are encoding-aware and can become XSS vulnerabilities- Most database software is encoding-aware, and
addslashes()can become a SQL injection vulnerability
The one thing I was looking for was session-ID protection, to minimize the damage possible if a malicious user does manage to grab cookies using a XSS exploit.
2 comments
Comments feed for this article
February 7, 2007 at 10:13 pm
kokorozashi
Most of the comments on the SafeHTML page are in a language (Russian?) which I don’t read, but one of them mentioned I thought I had almost immediately seeing the name of the package: how is this safer than strip_tags? I’m sure SafeHTML is more flexible, and more this, and more that, but let’s stick to security.
March 10, 2007 at 8:15 am
tombarta
@kokorozashi
Sorry I’ve taken so long to respond, hopefully you’ll see this at some point.
You’re right, SafeHTML is less secure than something like strip_tags, simply because SafeHTML allows HTML entities to be included in the output and strip_tags doesn’t. However, I did specify that SafeHTML is to be used **when HTML output is required**. If you have a content-management system where your users expect some sort of formatting, you have to either use a wiki/bb syntax or a subset of HTML… and in cases like these, it may be unacceptable to say “plain text only, please.”
I personally think using standardized wiki syntax is the way to go, but when you get down to it there still are plenty of things I’ve seen wikis unable to do. SafeHTML provides you with security in the presence of HTML-formatting requirements.