PHP Beginner Security Fear

Question

I'm a tech writer who has done a lot of HTML/CSS but have been thrown into a pressure cooker to rewrite a web app in PHP and have done fairly well, but I'm a bit concerned re the security.

Specifically, the main page is INDEX.PHP, where the user logs in. Once they are logged in, the page rewrites portions of itself and shows menu options not available to users who aren't logged in. About 50% of the users will never need to login since they'll be viewing public documents for which no security is needed. The other 50% of users will have restricted viewing access to certain documents/pages and be able to write to a database.

I got all of this working fine, but am concerned about two things I'm doing and whether they're proper:

A logged-in user might get redirected to another page, say PAGE1.PHP. I don't want them to be able to save the URL for PAGE1.PHP and just go directly there, bypassing security, so on PAGE1.PHP I have a check for a log-in cookie I created on INDEX.PHP. If the cookie exists they can go to the page, if not they can't. Is this the right way to do this type of thing?
How do I stop a malicious user from inserting a redirect into one of the many text boxes on my various forms? I need to allow HTML, such as strong, font, background, etc. I've been running all the text box values through a function that checks for possible malicious things, one at a time, such as "meta http" or "anchors" or "java script" but I'm not sure this is the best solution.

Thanks for your help!

You could start by reading [PHP documentation's on security](http://php.net/security). — jpic, Sep 11 '12 at 22:18
There are loads of [examples](https://www.google.com/search?q=php+login) of simple login systems that usually include means of authentication on each secure page. — Gaʀʀʏ, Sep 11 '12 at 22:20
You should also make sure you are [storing passwords securely](http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php) while you're at it. — Mike, Sep 11 '12 at 22:38
@Scott - I knew you're new here -- a friendly remember. If one of the answers worked for you, don't forget to accept it. — Jeremy J Starcher, Sep 12 '12 at 21:38

score 4 · Answer 1 · edited May 23 '17 at 12:12

4

$_SESSION will be your friend. In a normal shared-hosting environment, $_SESSION may not last any longer than, uh, the current session so plan accordingly. (IE, don't rely on it for anything more than logging in.)

You'll need to read up on session_start and friends.

In addition, check out this discussion: PHP HTML sanitizer for sanitizing HTML input. (Just as an FYI, there is a reason why bbcode and markdown are so popular.)

edited May 23 '17 at 12:12

Community

1
1

answered Sep 11 '12 at 22:18

Jeremy J Starcher

23,369
6
54
74

Wow, thanks for the fast response. Going to do a lot of reading up on $_SESSION tonight, and the sanitizers seem better than the manual way I've been doing it so far. Why reinvent the wheel? – Scott Thayer Sep 11 '12 at 22:28
You mean `session_start`, not `start_session`, and you can also make the session last longer than the current session by using `session_set_cookie_params()` – Mike Sep 11 '12 at 22:44
@Mike -- Thanks, fixed the function name in my answer. As for `session_set_cookie_params()`, that isn't the only thing that affects how long sessions last. PHP has session cleanup code to remove expired session. While all of _that_ can be controlled as well, it is a lot for a newbie to jump into. – Jeremy J Starcher Sep 11 '12 at 23:08

score 0 · Answer 2 · answered Sep 11 '12 at 22:19

0

No - every client can manipulate his cookies and send everything they want - even a invalid "login" Cookie. You have to store those Information serverside in sessions
You could use strip_tags to only allow some Special tags or use a html sanitizer

answered Sep 11 '12 at 22:19

Philipp

15,377
4
35
52

score 0 · Answer 3 · edited May 23 '17 at 12:03

0

1 . Upon successful login, store a new $_SESSION variable, say, the user ID (since that seems to be needed often)

Example:

    if(login is successful)
    { 
       $_SESSION['userId'] = $userId;
    }

Create a php auth page that checks to make sure the session var is populated. If not, redirect to access denied or login page.

Example:

if(! isset($_SESSION['userId']) || $_SESSION['userId'] == '')
{
    header("Location: accessDenied.php?msg=Not logged in");
}

On each secure page, require('auth.php');

2 . You can use strip_tags on the textbox, and mysqli_real_escape_string on user-input that ends up going to the database. (Or use prepared statements, see Best way to prevent SQL Injection in PHP)

edited May 23 '17 at 12:03

Community

1
1

answered Sep 11 '12 at 22:25

Gaʀʀʏ

4,372
3
39
59

sorry. I misread that for mysql_real_escape_string. I'll delete my comment. – Mike Sep 11 '12 at 22:33
Edited to indicate linked question as alternative to real escape string. – Gaʀʀʏ Sep 11 '12 at 22:34
Also make sure to validate the user id in the session on each request (look it up in the db), or else a logged in user may have incorrect access after they are deleted or deactivated, or permissions change. – Wesley Murch Sep 11 '12 at 22:36

PHP Beginner Security Fear

3 Answers3