Solved

PHP Security issues

Posted on 2010-11-30
9
406 Views
Last Modified: 2012-05-10
Hello all,

 I'm new in PHP but I have web scripting back ground. I am coding a website which will fit my needs. Regardless to say security subject makes me worry the most.

 I have a programmer who is dealing with our websites for some years, but I would like to do it myself again. Till now, everything is going smooth. Our website got hacked before that's why it is making me more nervous.

 We had poison null byte attacks, session stealing, adding <script> to our database etc... How do I protect our websites from such hack attempts?

Thank you for your help in advance.
0
Comment
Question by:pixalax
  • 4
  • 3
  • 2
9 Comments
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 34239628
Start your study here:
http://php.net/manual/en/security.php

And learn about PHPSEC.
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 34239669
If you've experienced session stealing and script insertion, you might want to change hosting services (at once)!  I use and recommend ChiHost.com.  They have great support and are very security conscious.

The overall philosophy for handling any external input is "accept only known good values."  In practice, this means testing everything that comes from outside your script, and only using it if it is good.  That is the opposite of trying to exclude bad values.  Nothing wrong with excluding bad values, but that is not enough.  If you expect an integer, test for it.  If you expect that the input data will be text, and not HTML, use strip_tags().  Learn about mysql_real_escape_string() and use it before you put information into your data base.  Learn about htmlentities() and use it before you echo data to the browser.  Things like that will overcome a great many issues.
0
 
LVL 2

Author Comment

by:pixalax
ID: 34239868
Thank you for the info.
Well currently I am using following function for security;

For Integers;
// CHECK IF VARIABLE IS INTEGER / NUMBER
#IF SWITCH = 1, IT WILL CHECK IF IT IS INTEGER AND IF NOT ECHO ERROR.
	function check_id ($id, $switch = 0) {
		
		if ($switch == 1) {
			$id = $this->clean($id, 1);
			
			if (!isset($id) || !is_numeric($id) ) {
			echo "<div class=\"error\">Data (<strong>{$id}</strong>) is not a number.</div>";
			exit;
			}
			
		}else {
		
			if (isset($id)) {
				$id = $this->clean($id, 1);
				
				if (!is_int($id)) {
					settype($id, "integer");
				}
			}else {
				unset($id);
			}
		}
		
		return $id;
 	}

Open in new window


For strings (FOR USING EDITORS such as CK Editor, I have no idea what to add for security);
// CHECK IF VARIABLE IS STRING.
#IF SWITCH = 1, IT WILL PREPARE THE STRING FOR EDITOR (ALLOWING HTML).
	function check_string ($string, $switch = 0) {
		if (isset($string)) {
			if ($switch == 0) {
				$string = $this->clean($string);
				
				if (!is_string($string)) {
					settype($string, "string");
				}
			}else {
				$string=trim($string);
				$string=stripslashes($string);
			}
		}else {
			unset($string);
		}
		
		return $string;
 	}

Open in new window


My Cleaning function
// CLEAN THE VARIABLE
# IF SWITCH = 1, IT WILL SET $veri AS INTEGER ELSE STRING.
	function clean ($veri, $int=0) {
		if(!get_magic_quotes_gpc()) {
			$veri = addslashes($veri);
		}
		$veri = mysql_real_escape_string($veri);
		$veri = trim($veri);
		$veri = htmlentities($veri);
		if ($int == 1) {
			$veri = strip_tags((int)($veri));
		}else {
			$veri = strip_tags((string)($veri));
		}
		return $veri;
 	}

Open in new window


I also check variables if they are set with $_POST and $_GET super global s;
function check_get_post ($veri) {
		if(is_array($veri)) {
			foreach ($veri as $key => $value) {
				
				if (isset($_GET[$key]) && isset($_POST[$key])) {
				echo "Security Warning. Log has been created and administrators are informed.";
				exit;
				}
			}
			
		}else {
			
			if (isset($_GET[$veri]) && isset($_POST[$veri])) {
				echo "Security Warning. Log has been created and administrators are informed.";
				exit;
			}
			
		}
 	}

Open in new window


These are only protection measures I took. I don't know if it is enough or not.

What I really would like to know is;
1. What kind of security measures I can take for receiving rich text editor's form data?
2. For Sessions, I only use cookies, I believe I also have to record some stuff to database each time each user logs in (such as log in key). How do I do that? How Should I do that?

Thank you for your help.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 109

Expert Comment

by:Ray Paseur
ID: 34240126
Some of these code segments appear to be kind of old, and maybe application specific.  The subject of security is too big to address in a back-and-forth dialog at EE.  Information Technology Security is not a full-time four year college major in the Engineering school at the University of Maryland and there are a number of master's degrees, too.

To handle RTE form input data use mysql_real_escape_string() when you store the data into your data base.  Use htmlentities() when you echo the output to the browser.  You might want to go a little further, too.  Do you expect your clients to insert any HTML or SCRIPT?  If not, why not just translate all the < characters into "LT" or something like that.

To handle client logins, you can use a design pattern like this one:
http://www.experts-exchange.com/Web_Development/Web_Languages-Standards/PHP/A_2391-PHP-login-logout-and-easy-access-control.html

Data validation is data-specific, but the new PHP filter_var() functions are very helpful.  Here is how I validate an email address.  I am sure you can think of many other data types that you might want to validate.
<?php // RAY_email_validation.php
error_reporting(E_ALL);



// A FUNCTION TO TEST FOR A VALID EMAIL ADDRESS, RETURN TRUE OR FALSE
function check_valid_email($email)
{
    // IF PHP 5.2 OR ABOVE, WE CAN USE THE FILTER
    // MAN PAGE: http://us3.php.net/manual/en/intro.filter.php
    if (strnatcmp(phpversion(),'5.2') >= 0)
    {
        if(filter_var($email, FILTER_VALIDATE_EMAIL) === FALSE) return FALSE;
    }
    // IF LOWER-LEVEL PHP, WE CAN CONSTRUCT A REGULAR EXPRESSION
    else
    {
        $regex
        = '/'                       // START REGEX DELIMITER
        . '^'                       // START STRING
        . '[A-Z0-9_-]'              // AN EMAIL - SOME CHARACTER(S)
        . '[A-Z0-9._-]*'            // AN EMAIL - SOME CHARACTER(S) PERMITS DOT
        . '@'                       // A SINGLE AT-SIGN
        . '([A-Z0-9][A-Z0-9-]*\.)+' // A DOMAIN NAME PERMITS DOT, ENDS DOT
        . '[A-Z\.]'                 // A TOP-LEVEL DOMAIN PERMITS DOT
        . '{2,6}'                   // TLD LENGTH >= 2 AND =< 6
        . '$'                       // ENDOF STRING
        . '/'                       // ENDOF REGEX DELIMITER
        . 'i'                       // CASE INSENSITIVE
        ;
        if (!preg_match($regex, $email)) return FALSE;
    }

    // FILTER_VAR OR PREG_MATCH DOES NOT TEST IF THE DOMAIN IS ROUTABLE
    $domain = explode('@', $email);

    // MAN PAGE: http://us3.php.net/manual/en/function.checkdnsrr.php
    if ( checkdnsrr($domain[1],"MX") || checkdnsrr($domain[1],"A") ) return TRUE;

    // EMAIL IS NOT ROUTABLE
    return FALSE;
}




// DEMONSTRATE THE FUNCTION IN ACTION
$e = '';
if (!empty($_GET["e"]))
{
    $e = $_GET["e"];
    if (check_valid_email($e))
    {
        echo "<br/>VALID: $e \n";
    } else
    {
        echo "<br/>BOGUS: $e \n";
    }
}
// END OF PHP - PUT UP THE FORM
?>
<form method="get">
TEST A STRING FOR A VALID EMAIL ADDRESS:
<input name="e" value="<?php echo $e; ?>" />
<input type="submit" />
</form>

Open in new window

0
 
LVL 25

Expert Comment

by:madunix
ID: 34240687
0
 
LVL 109

Expert Comment

by:Ray Paseur
ID: 34244981
Agree with madunix: OWASP is a good organization to get involved with.  Attend their conferences - you will develop contacts and a knowledge base that is very valuable.
0
 
LVL 25

Accepted Solution

by:
madunix earned 500 total points
ID: 34252233
@pixalax    >>>> adding <script> to our database <<<

Well, adding scripts to databases and such — you should probably have filters in your application for XSS (cross-site scripting), both to avoid storing such HTML and to avoid displaying it.

OWASP Guide explains how to perform data validation, which is the best way to resolve XSS
it explains what XSS is @
http://www.owasp.org/index.php/Cross_Site_Scripting ;
http://www.virtualforge.de/vmovie/xss_selling_platform_v1.0.php
http://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
http://www.owasp.org/index.php/Guide_Table_of_Contents#Data_Validation
https://www.owasp.org/images/8/89/OWASP_Testing_Guide_V3.pdf
http://www.ibm.com/developerworks/web/library/wa-secxss/
http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

my recommendations:
there are several issues whose remediation lies in sanitizing user input. By verifying that user input does not contain hazardous characters, it is possible to prevent malicious users from causing your application to execute unintended operations, such as launch arbitrary SQL queries, embed JavaScript code to be executed on the client side, run various operating system commands etc. It is advised to filter out all the following characters:
"      | (pipe sign)
"      & (ampersand sign)
"      ; (semicolon sign)
"      $ (dollar sign)
"      % (percent sign)
"      @ (at sign)
"      ' (single apostrophe)
"      " (quotation mark)
"      \' (backslash-escaped apostrophe)
"      \" (backslash-escaped quotation mark)
"      < > (triangular parenthesis)
"      () (parenthesis)
"      + (plus sign)
"      CR (Carriage return, ASCII 0x0d)
"      LF (Line feed, ASCII 0x0a)
"      , (comma sign)
"      \ (backslash)


-Input encoding
Input encoding can protect against more than just Cross site scripting attacks. Things like SQL injection and command injection can also be checked prior to storing information in a database

-Output encoding
Developers must perform output encoding potentially many times for reach location the information is outputted

-To fix the <%00script> variant see Microsoft article 821349

-For UTF-7 attacks:
When possible, it is recommended to enforce a specific charset encoding (using 'Content-Type' header or <meta> tag).

-Basically, make sure your web server is up-to-date with latest security fixes/patches.

-Make sure you have filter every user input and output as proper encoding like UTF-8.

- OWASP  is a must

- i use ex. watchfile now IBM aapscan tools http://www-01.ibm.com/software/rational/offerings/websecurity/  to scan all my web application for security issues
0
 
LVL 2

Author Comment

by:pixalax
ID: 34259056
Thank you all for your time and concern.
These are really a lot of information to start with. Protecting database should be more easy.

Only 1 question left actually;
When I check forum scripts or any advanced CMS systems, I see in their member table, they have some cells like login_key, login_hash etc... Some how they connect it with cookies and session information to validate that it is the correct user and no funky things going on.

What is the short logic of this? Could any one show me with a small and short example for me to understand it correctly. I don't understand anything from reading 1000 pages about security and such things till I see the example code.  That's why I will have to search for example codes in all these security topics you gave me but it is a good start.

Thank you once again for your time and concern.
0
 
LVL 2

Author Closing Comment

by:pixalax
ID: 34278942
Thank you for your help. I guess I will have to figure out the rest.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
I imagine that there are some, like me, who require a way of getting currency exchange rates for implementation in web project from time to time, so I thought I would share a solution that I have developed for this purpose. It turns out that Yaho…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to create a basic form using some HTML5 and PHP for later processing. Set up your basic HTML file. Open your form tag and set the method and action attributes.: (CODE) Set up your first few inputs one for the name and …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question