1

to protect my project from attacks (example: SQL injection) im using the below for query parameter pages(*.php?query=value) :

$id=strip_tags($id);
$id=mysql_real_escape_string($id);    
if(is_numeric($id) && strlen($id)<=3) //id are numbers maximum of 3 digits
  • Apart from this im using client(JavaScript) & server side(php) validations, strip_tags() to filter data as required.
  • Passwords are encrypted using bcrypt()
  • All messages are encrypted using mcrypt_ecb()
  • Pages can only be accessed when isset($_SESSION["id"]) ie logged in.
  • error_reporting(0);to hide errors.
  • $_POST instead of $_REQUEST
  • mysql_real_escape_string(); for every input

actually my project will be used by college and im tensed about the security because backtrack makes it easy to penetrate, so im trying hard to make it safe. (i know it's a vast question, but any kind of help will be very useful) but as a student i want to know what else im missing to make it safe ?

user2216267
  • 491
  • 3
  • 8
  • 21
  • 1
    No offense bro - but there are so many things wrong with your approach ... where to begin? – jrd1 Aug 09 '13 at 23:47
  • 4
    If you're that concerned about security, forget about MySQL and start using MySQLi or PDO prepared statements/bind variables - colleges should be leading the way in this, not trailing 10 years behind the rest of the world – Mark Baker Aug 09 '13 at 23:49
  • 1
    `strip_tags()` is no secure HTML remover, and values shouldn't be escaped prematurely. – Sven Aug 09 '13 at 23:49
  • @Sven then should i use: htmlspecialchars() ? – user2216267 Aug 09 '13 at 23:51
  • @MarkBaker actually i started the work early in college and now it' time to make it live. can i use prepared statements in mysql ? what other precautions ? – user2216267 Aug 09 '13 at 23:52
  • No, prepared statements aren't supported by the MySQL extension; you need MySQLi or PDO for that – Mark Baker Aug 09 '13 at 23:57
  • @MarkBaker then what else i can do to make mysql secure from your experience ? – user2216267 Aug 09 '13 at 23:57
  • 1
    Mysql is secure if you properly escapes request but now point is that mysql extension isn't supported in new versions php>=5.5 so if you want to use new version then you have to use other extension thn mysql ... check this http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php/14110189#14110189 – NullPoiиteя Aug 10 '13 at 00:31
  • 1
    With MySQL, you have to jump through a lot more hoops to make it secure, and it's all too easy to make a mistake; prepared statements make it a lot less coding effort – Mark Baker Aug 10 '13 at 17:52

3 Answers3

10

Firstly:

Avoid PHP's MySQL functions like a plague

Use PHP's MySQLi functions instead at the very, very minimum or PDO instead. MySQLi and especially PDO functions, are better security-wise. But, of the two, PDOs are the best deal as they offer you higher abstraction with prepared statements which greatly increases your defense against SQL injection attacks:

Most SQL statements in PHP applications use variable input to determine the results of the SQL statement. To pass user-supplied input to an SQL statement safely, prepare a statement using parameter markers (?) or named variables representing the variable input. When you execute the prepared statement, you bind input values to the parameter markers. The database engine ensures that each input value is treated as a single parameter, preventing SQL injection attacks against your application. Compared to statements issued through PDO::exec(), prepared statements offer a performance advantage because the database management system creates an access plan for each prepared statement that it can reuse if the statement is reissued subsequently.

Also, avoid using some of the older depreciated PHP functions.

Next, generally, if you're using PHP or any language that creates dynamic requests, that implies user input on some level, and most oftentimes, a subsequent interaction with the database. Rule 1 of web programming: never, ever under under any circumstances trust user input. At all. Everything entered must be cleaned, validated to avoid security problems. You can do this natively with PHP, but honestly it takes a lot of work and a lot of attention to detail - which of course, expands your development time.

If this is not an academic exercise or one dealing with self-training - try to use a framework if you can - it potentially can save you many headaches later down the road as good frameworks can take care of some of the overhead of dealing with escapes, validation and the like. What that means is that if you go commando and write your own code with no framework: most, if not all of the functionality you'll be implementing would be done for you and chances are - done better in a framework.

Plus, they make PHP development easier, and occasionally, fun. Of course, not all frameworks are created equal, and all frameworks have security issues, too. But, this is something you will have to keep in mind and keep yourself informed at all times, religiously.

If this is an academic exercise, or a self-learning one, read this:

Reasons to NOT use a PHP Framework?

A lot of the top StackOverflow PHP posts and Programmers.StackExchange posts can help you with your journey.

Here's a few to start with:

(This one's more of an overview of what most of these links discuss)

Read up on security practices in your field. It's ever evolving.

If you're interested in frameworks, here are a few of the popular ones to pique your interest:

But, either way - good luck!

Community
  • 1
  • 1
jrd1
  • 10,358
  • 4
  • 34
  • 51
  • thank you so much, i will go through each link..but changing database queries or framework 2 days before launch can be hectic..how to migrate ?....and i wanted to know which framework will be better to learn for a Job: zend or cakephp or yii or codeigniter or Symfony or Kohana ? – user2216267 Aug 10 '13 at 08:54
  • 1
    @user2216267, you're welcome. While I think those questions deserve their own posting in their own right, if you're migrating _2 days_ before launch (which boggles the mind), mysqli would be your best bet since it's made to be compatible with the older mysql functions in PHP. In fact, they were designed for such that purpose. As for the job part, again I think you should make another question, but if you want marketability, Zend is the way to go, as well as CakePHP. The others are relative newcomers, but have good press. At the end of the day, read up on them, dabble a little and you'll know. – jrd1 Aug 10 '13 at 08:59
3

I'd propose the review OWASP's website for web security related information (or even join OWASP).

This OWASP section provides PHP-related information.

SteAp
  • 11,853
  • 10
  • 53
  • 88
2

Making a PHP application secure is a pretty complex process. There are lot of thing to think about when you write your application and SQL injection is not the only one threat.

I suggest to refer to the following useful articles:

25 PHP Security Best Practices For Sys Admins

How to secure your php application?

PHP Security Cheat Sheet

Stanislav
  • 903
  • 2
  • 9
  • 14