How to make my PHP project more secure?

Question

I'm developing a project for my college.

The project is approved by my college and will be live by next week for above 5000 students and the project is functioning fine but I'm worried about the hacks and intrusions students can perform.

The project is a notice publishing portal and skill promoting project where college management will post news and students can view it after email verification. The students can upload their achievements to share with college, can share their creative works like apps, web services etc. They can also browse the skills of other students whose profile is filled which will help in making groups.

I have applied below securities:

I have used if(isset($_SESSION['name']) && isset($_SESSION['email']) && isset($_SESSION['pass'])) on every page to prevent not loggedin users.
mysql_real_escape_string($pass); // for escaping special characters.
The passwords are encrypted using salt method (Crypt();) .
Validations during signup & file uploading limits.

I have searched and applied the above securities but want to know what other things are needed in this type of project, maybe some additions in the .htaccess?

I think there are no remaining for your project at this level....All the best,hope your project done well — GautamD31, May 18 '13 at 08:42
encrypt each and every id with a salt value for all your entitles operations like add, edit, delete, view and for ajax calls that are hidden but can be seen in console and your database primary key (ids) can been seen easily. — Manish Jangir, May 18 '13 at 08:44
@Gautam3164: i have displayed here so that you can look into the portal. Any advices or ideas for the project ? — user2216267, May 18 '13 at 08:48
Hey just joking...nice one.Good to do your project for your college itself...all the best ,as I said earlier for this level you done almost everything.As @ManishJangir said prepare the urls more secure.Thats it.I hope a good response will come for your HardWork — GautamD31, May 18 '13 at 08:51
@Gautam3164 thank you so much :), how to make url secure ? if i encrypt the id, how will i perform search in sql ? — user2216267, May 18 '13 at 08:54

score 3 · Answer 1 · edited May 23 '17 at 10:25

3

Some small improvements could be made:

1) You only need to store one session in which you would put the user id after they have logged in.

2) Don't use mysql anymore. Use PDO its a driver that enables youy to use parameterized querys to prevent sql injection.

3) For securely storing passwords use bcrypt here is a good answer on how to use it: Link

edited May 23 '17 at 10:25

Community

1
1

answered May 18 '13 at 09:04

Ace

152
10

thanks :).... i used 3 session values because i thought that someone using some session tools (maybe) values can be set ? is there any tool like that ? and is crypt function not so secure ? – user2216267 May 18 '13 at 09:21

score 2 · Accepted Answer · answered May 18 '13 at 09:05

There's no good reason to store the password (or the hashed password, if that's what you are doing) in the session. Passwords are secret. You should be very careful about how you handle other people's secrets.

Storing the unique name (or email) is sufficient to determine that a user is logged in.

Some other problems I spotted:

Password field in the top login form is not "password" type. Allows shoulder-surfing.
There is no need to use mysql_real_escape_string() if you have hashed the password. Hashing the password should be the first thing you do after receiving it.
On the account page, you have used a "password" type field for the Security Answer but you have pre-filled the field with the value. This is available in the HTML source. Yours is 12345.
You still have display_errors set to true in your php.ini.
No SSL. All the passwords will be sent unencrypted across your College network.
Your question doesn't mention bcrypt but it should. BCrypt is an appropriate password hashing algorithm. (PHP calls this CRYPT_BLOWFISH).
The use of mysql_real_escape_string() indicates that you are not using prepared statements and binding parameters. Doing so makes SQL injection impossible. Switch to mysqli or PDO.

I didn't attempt any unusual POST requests to your service but I noticed that you have a bunch of fields that have editing disabled in the HTML. This doesn't actually prevent anything. I can submit that form with a different Student ID. Does the receiving PHP handle that case?

thank you for your helpful feedback :) .... The Password field on the top login form changes to Type Password on click using JavaScript....yes i have handled it on the php side as im not passing the disabled fields in the SQL Update query....how you made it to the php.ini file ? any more suggestion for the project ? — user2216267, May 18 '13 at 09:36
I use NoScript to handle javascript but I'm aware this is an unusual choice. I didn't see your php.ini. I saw a database connection error displayed in the browser. :-) — Ladadadada, May 18 '13 at 09:53
okk :) thank you :)....was the database connection error any hack ? any more changes i should do ? — user2216267, May 18 '13 at 10:01

score 2 · Answer 3 · answered May 18 '13 at 09:19

The easiest way to screw up is by SQL injection (assuming you are using database) - there are even bots out there trying to insert code to your webpage though SQL injection and deliver malwares

I would secure every SQL statement (no matter it's INSERT / SELECT / UPDATE / DELETE) as long as there are user input parameters. For strings you have already handled it well (but read http://php.net/manual/en/function.mysql-real-escape-string.php for the charset caution), for integer I would use (int)input.

And just make sure you have frequent backup of database, then you're fine to face any creative student.

And think about the way you display user inputs, people may submit HTML codes with <scripts>, better flatten them out with htmlspecialchars()

thank you, it was helpful :)....ok ill secure every SQL statement :)....any more suggestions for the project ? — user2216267, May 18 '13 at 09:39
you're welcome! I guess the others had already made very good points as well :) so that's all I can suggest for now. — user7180, May 18 '13 at 12:06

score 1 · Answer 4 · answered May 18 '13 at 09:00

1

Try this one to your url parameters for encryption and decription

$salt ='The key you can use anything';

Encryption:

function simple_encrypt($text)
{
    return trim(base64_encode(mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $salt, $text, MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND))));
}

Decription:

function simple_decrypt($text)
{
    return trim(mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $salt, base64_decode($text), MCRYPT_MODE_ECB, mcrypt_create_iv(mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB), MCRYPT_RAND)));
}

Here the $text is your parameters that you want to pass through the URL

Hope it will help for you

answered May 18 '13 at 09:00

GautamD31

28,552
10
64
85

thanks....so i should use encrypt just before echo ""; it ? and decrypt it when receiving it ? (mainly to not expose my primary key) ? – user2216267 May 18 '13 at 09:41
while you give the link to the edit or delete record ,you will redirect to another page right..??at that time pass the encrypted ids and parameters to that page and at that decrypt the get value and do you action with that.By this You can protect the parameters and you can do the same action as you pass the original value ;-) – GautamD31 May 18 '13 at 09:47

How to make my PHP project more secure?

4 Answers4