0

Possible Duplicate:
Best way to prevent SQL injection in PHP?

I am creating a news site and I have written down a list of things need for achieving security.

User + Site interaction

  1. sanitize all POST/GET functions with html-entities & mysql_real_escape_string
  2. if site is about to be online, TURN OFF, error reporting or customize it
  3. I don't use cookies, only sessions (Because sessions are less vulnerable)
  4. turn off directory listing
  5. make robot.txt to prevent indexing unwanted files
  6. For passwords, use salt + Md5
  7. only make ADMIN site accessible from one PC and one browser by getting ip, and browse info, otherwise throw in 404 Error.

I have implemented all those in my site. I know most of you will say use PDO / Msqli to sanitize, but I am a beginner in PHP and it is difficult for me to learn PDO/Mysqli or OOP

So, anything other you can provide will be awesome. thanks.

Community
  • 1
  • 1
samayo
  • 16,163
  • 12
  • 91
  • 106
  • I'm going to say it anyway, **use pdo or mysqli**, even if you are a beginner, there's little use spending time learning how to use deprecated functions! – billyonecan Oct 03 '12 at 10:43
  • Plus, MD5 is not secure anymore. Use an SHA-2 hash algorithm, such as SHA-256 – user2428118 Oct 03 '12 at 10:48
  • 2
    For passwords **use bcrypt.** – Nasreddine Oct 03 '12 at 10:49
  • @user2428118 sha is not for passwords as well. – Matsemann Oct 03 '12 at 10:53
  • I know md5 is week, that is why I said salt+md5 ? Is there anything wrong with that? – samayo Oct 03 '12 at 11:02
  • Lock down php.ini and turn off exploitable functionality by default. – nickhar Oct 03 '12 at 11:11
  • MD5 is much too fast for hashing passwords. With an off-the-shelf GPU, you are able to calculate 8 Giga MD5-hashes per second ([in 2012](http://hashcat.net/oclhashcat-lite/#performance)). That makes it possible to brute-force a whole english dictionary with about 500000 words, in less than 0.1 millisecond. So you need an algorithm that needs some computing time, and that's the reason BCrypt was invented. I tried to sum up the most important points in this [article](http://www.martinstoeckli.ch/php/php.html#ssl_bcrypt). – martinstoeckli Oct 03 '12 at 11:42

4 Answers4

2

--> sanitize all POST/GET functions with html-entities & mysql_real_escape_string

Why html-entities? You only need them to display information in html format. Don't use it while receiving and storing info.

Also: mysql_real_escape_string only works for text. If you want to receive, say, an integer, do this:

$myInt = (int)$_POST["whatever"];

--> if site is about to be online, TURN OFF, error reporting or customize it

Yes, use a log file to store them and look into it an a regular basis.

--> I don't use cookies, only sessions (Because sessions are less vulnerable)

How do you relay the PHPSESSID without cookies? Not in url I hope. I guess you meant: I use only cookies to store PHPSESSID.

A security improvement: Make a new sessionid for each request.

--> turn off directory listing

Good.

--> make robot.txt to prevent indexing unwanted files

OK, but sensitive files shouldn't be in the webroot anyway (eg, db credentials)

--> For passwords, use salt + Md5

md5 is weak. You might want to look into other ways for one-way encryption.

--> only make ADMIN site accessible from one PC and one browser by getting ip, and browse info, otherwise throw in 404 Error.

That is a good idea.

There is a lot more to add. Most has to do with your logic.

For example: If you have users with a userid, and postings with a postingid. You want to store postings in tblpostings, also storing the userid, so you know who wrote it. Now, if you enable deletions of posts you must somehow check that the one who deletes the posting is also the owner. These kind of things are hard to fit in simple general rules. Just pay attention when you write code. :-)

Erwin Moller
  • 2,375
  • 14
  • 22
  • Thanks this was a great response. I will note down the above. But, about the cookies, I don't rely use them. I use sessions, because I cookies do not have any importance in my site. and all files are not in the root folder, there are many hierarchy of folders that is why I wanted to use robot but, that is controversial I hear. – samayo Oct 03 '12 at 11:06
  • @Plexymus: The cookie will contain a PHPSESSID, otherwise you cannot maintain the session. Look into your cookies, and you'll see it if you have a session. – Erwin Moller Oct 03 '12 at 11:36
1

I'd be careful of robots.txt files as although they're supposed to stop robots from indexing certain bits, they also tell people bits of your site you don't want them to look at.

Not strictly, PHP and XSS, but if the server is on linux, disable root ssh account and have another which you use. Have database specific users, so if one is compromised, other databases aren't.

m4rc
  • 2,932
  • 2
  • 22
  • 29
1

"For passwords, use salt + Md5"

Better than clear text, but the best currently known algorithm is bcrypt, and described here:

How do you use bcrypt for hashing passwords in PHP?

Community
  • 1
  • 1
Sven
  • 69,403
  • 10
  • 107
  • 109
0

SQLInjection Stop using mysql_real_escape_string and start using prepared statements/parameterized queries. Learn PDO now, it's not that hard, and will help you get things right from the beginning.

XSS Look into contextual escaping on output. See the OWASP XSS prevention cheat sheets.

Issue a new session on login. Dont leak that session over http. Use https for logged in users and set the secure and httpOnly flags on the session cookie.

Use bcrypt, scrypt or pbkdf2 for password hashing.

As other said, dont put sensitive files on the server unprotected. Robots.txt is a good place to start for hackers.

Erlend
  • 4,336
  • 22
  • 25