I am beginning what appears to be the daunting task of securing all of my code from injections, XSS, etc.

I have been reading about some of it and it is a bit overwhelming.

I just wanted to come here and ask for experts' advice on the main things I should be concerned about specifically.

There is so much on the Net about all of this I am not sure where to begin and I am sure I will miss something and leave at least one (if not multiple) vulnerabilities in my code, hence, allowing anyone access to my DB/tables.

Thank you in advance for any help.

Matthew

Member Avatar for iamthwee

The first thing you want to do is pick up a PHP framework with a shallow learning curve. These frameworks take care of most of your worries for you.

They come with sql classes to quickly build your queries and are automatically sql injection free.

Form validation methods to ensure user input is kosher and for xss this general means turning user input to html_entities where-ever possible.

Once you get those under wraps site design becomes a breeze.

Here is a link to the OSWASP Top Ten. They provide a few simple steps to securing your application.

Personally (if you haven't already done so), write a function to sanitize something like XSS. Then go through your code (unfortunately line by line) and call the function every time code is outputted.

XSS and code injection are absolute essentials, as these are the most common attack methods. The top ten also highlights other major things you need to check for.

When it comes to protecting against specific things, like writing an anti-XSS function, you'll be able to find a trusted blog from Google to sort you out - protecting against these things isn't too difficult.

Edit:

What @iamthwee is saying is ideally correct, since frameworks are a hell of alot easier to secure. Since you've (presumeably) already written your application.

Member Avatar for iamthwee

I would google something like

codeigniter for rapid application design pdf

That will link you to a pdf. Then you can download and read that pdf, doing that alone when I first started looking at php frameworks was enough to convince me to drop vanilla php, since then I haven't looked back.

This is assuming you are going to be the developer and you are serious about this in the long run.

Thank you all for your responses and assistance. It is much appreciated.

I have downloaded CodeIgniter, but I will be honest, I have never used a framework before and really have no idea where to begin - Will this somehow modify my current code if used?

Thank you,
Matthew

I just downloaded the .PDF "CodeIgniter for Rapid PHP
Application Development" - It is a long read but I suppose it will answer my questions about how to use CodeIgniter if I go this route.

Member Avatar for iamthwee

Will this somehow modify my current code if used?

No it will not, unfortunately, their are no shortcuts. You have to learn the framework properly.

Luckily you can use some of your existing code within the framework but most likely you'll be writing the thing from scratch. You will just be using the ideas/flow of your original website - although looking at the previous thread you started with diafol answering - you're pretty much better off starting afresh anyway.

There are plenty of online video tutorials, tutsplus on youtube tend to be a good shout, although some are a bit outdated now.

If I were you I would keep this in the backburner, and I'd read through the CI for rapid application development pdf (which you simply MUST download) on your kindle at leisure.

You can actually dive right into codeigniter without needing to know too much about php as well. The userguide is pretty comprehensive, probably one of the best user guides there are out there for PHP frameworks although I'd sure the laravel and cakephp fanboys will say otherwise, (no hard feelings fellas everyones' opinions are legitimate.)

iamthewee:

I am reading the documentation .pdf for CI and it already seems like it may be a very good option to put to use.

I may have to rebuild my site (The site is not live yet). It may prove better in the long run to do so.

But one, small question about CI: Is this something where I will be installing software/files on my hosting server in order to make use of it?

Thanks.

Member Avatar for iamthwee

Is this something where I will be installing software/files on my hosting server in order to make use of it?

Yes you just copy the directory to the webroot and set the url in the config file.

Best to play with it on your localhost first.

Member Avatar for diafol

Heh heh, iamthwee is a CI evangelist! Although a framework (CI is probably the easiest to pick up) will take care of things for you, you probably won't learn how to code securely in native php from using it. Mattster's OWASP link is a great place to start.

You're best not to try to learn everything in one go or you'll get a terminal nosebleed. Concentrate on one area at a time. A good way to start would be to create a pet project where you need to use a database and have users that need to sign up and sign in. Keep it simple though. A simple blog system with member comments may be a good place to start. There are loads of examples online too for this sort of setup.

Perhaps the main areas to start with would be:

  • Use specific superglobals: POST and GET and COOKIE instead of REQUEST.
  • Use session variables to store login user id and user permissions - regenerate the session on successful login.
  • Ensure a secure logoff procedure where the session is destroyed
  • Use prepared statements and bind parameters/values with PDO or mysqli when creating SQL statements.
  • Never use eval() and avoid extract() where possible.
  • Use a CSRF token for all of your forms - especially important if they manipulate data (DB or files).
  • Always validate input data against specific datatypes and lengths/ ranges/ patterns
  • Always hash passwords and never store plaintext versions - anywhere
  • Avoid using hidden fields for sensitive data
  • Always check a logged in user has the correct permission level to operate a function, e.g. run a DELETE, INSERT or UPDATE query

There are a million ways to skin a cat. You will find many, many different methods of implementing security. Some will be ludicrous, some wrong, some dangerous and a few may be actually useful and robust.

Remember - OWASP is your friend.

commented: Great ideas. Thanks! +8

Thank you all for your assistance. I spent the last couple of days thinking about how to proceed - I have not decided yet.

I am taking a PHP/MySQL class on-line so today I thought I should just keep doing that for awhile before comitting to any specific build principals.

I want to build my project correctly. Any security infiltrations will be a major problem (Although, after it goes live on 1.1.16, I plan on doing localized DB back-ups on a daily basis to a flash-drive so if I get hit I will be able to recover.) But, I don't wish that to happen. I really need to learn and understand the potential security holes before launch.

Thanks again,
Matthew

diafol:

I have c + p your points above regarding security/etc into a Word file and will use it as a check-list when creating my build.

I will probably have some questions about some of the points in the future (Example: I really do not understand sessions at this point and how to implement and control them per individual registered User)

Thanks,
Matthew

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.