PHP Security checklist (injection, sessions etc)

Question

So what kind of things should a person using PHP and MySql be focused on to maximize security.

Things I have done:
-mysql_real_escape_string all inputs
-validate all inputs after escaping em
-Placed random alpha numerics before my table names
-50character salt + Ripemd passwords

Heres where I think I am slacking:
-I know know nothing about sessions and securing them. How unsafe/safe is it if all you are doing is:

session_start(); 
$_SESSION['login']= $login;

and checking it with:

session_start();
if(isset($_SESSION['login'])){

-I heard something about other forms of injection like cross site injection and what not... -And probably many other things I dont know about.

Is there a "checklist"/Quicktut on making php secure? I dont even know what I should be worried about.I kinda regret now not building off cakephp since I am not a pro.

score 2 · Answer 1 · answered Dec 30 '10 at 09:07

2

You can try to avoid hijacking by testing user agent.

Something like that :

if (isset($_SESSION['userAgent'])) {
    if ($_SESSION['userAgent'] != md5($_SERVER['HTTP_USER_AGENT'])) {
       // HACK !!!
       // Kill the process or ask for authenticating
    }
}
else {
    $_SESSION['userAgent'] = md5($_SERVER['HTTP_USER_AGENT']);
}

answered Dec 30 '10 at 09:07

Epharion

1,051
9
20

This won't stop a serious hacker from hyjacking your session. – GolezTrol Dec 30 '10 at 09:12
2

Start by taking a look at this: http://stackoverflow.com/questions/328/php-session-security The UserAgent check is mentioned there as well, but as you can tell by the comments, I'm not the only one who think it is a useless check. If the check fails, all you can tell is you're dealing with a very dumb hacker. – GolezTrol Dec 30 '10 at 22:17

score 1 · Answer 2 · answered Dec 30 '10 at 13:46

If your application allows any kind of content to be posted you should use some kind of encryption at login. SSL is best of course, poor mans ssl is encrypting password with JS before posting the login-form.

To avoid session hijacking, tie down the session to the ip at login, (save ip at login and compare with every request).

regards, //t

score 1 · Answer 3 · answered Dec 30 '10 at 21:24

For XSS and other injections types, which are mainly HTML and js injection the key security is escaping all outputs.Everything you paste in HTML should be escaped for HTML, that mean no js or HTML should be seen by the browser in the content generated by something directly coming from the databse.

As an example user_name, that the user as set in a form, should not contain any HTML or js code. If by any way someone an inject such thing, you'll have some problem (and the easiest way to inject is the search form input in most app, were your search is echoed in the response page). So all theses output should have a htmlspecialchars() before output.

Here are some usefull links:

GolezTrol · Accepted Answer · 2010-12-30T09:52:27.373

There are multiple ways of hacking. The first is when an actual (or fake) user is trying to find gaps in your software to try to damage your server. You will need the escaping and input checking to prevent SQL injection to work around this.

The (or 'an') other is a hacker that tries to steal a session to impersonate another user. This allows them to reach (and change) data they are not entitled to.

SQL injection is fixed by using mysql_real_escape_string. When use use that and use it right, there is no need to be afraid of SQL injection. There is no need to prepend random characters to table names. This will make your programming harder while not providing a real additional safety. You could also use mysqli and parameterized queries, which don't have this problem at all. mysqli takes care of the escaping for you. Theoretically, parameterized queries could even run faster, because the queries can be more efficiently cached. In practise, however, this is not the case. It is only since MySQL 5.2 that these queries are cached at all, but still not as efficient as could be. That is however nothing to worry about right now. Any solution will proably perform well enough for you right now.

One thing you shouldn't do -ever- is allowing PHP code in user generated content. If you allow users to type PHP, you will allow them to break your application and possibly modify your database. Also, when a hacker manages to impersonate a user/content editor, he gets a complete toolbox for free when you allow the content to contain PHP.

To prevent sessions from being hyjacked, I think it is best to use SSL. If you don't want to server all your pages via SSL, you could choose to save a session in cookies, but demand a relogin (using SSL) whenever important changes are done.

Hey. Thanks for the elaborate response. The question of mysql_real_escape_string came up for me earlier and when I looked at the manual I felt like it was implied that it only works for certain types of injections. If I use it on all my inputs am I safe from injection? Also: Is there a alternative solution to using ssl temporairly until I get it? — NoviceCoding, Dec 30 '10 at 19:40
It works for SQL injections in those situations where you use input values in a query. Like when you allow to search something, and you let someone enter a value in $search, you could build a query like `$query = "SELECT * FROM Pages WHERE content LIKE '%$search%'";` That is perfectly fine unless someone searches for `cow%'; drop database; --`. Doesn't seem likely? Maybe not.. Anyway, that's the kind of evil hack you prevent, apart from simple problems that may occur when someone just searches for something containing a `'`. :) — GolezTrol, Dec 30 '10 at 22:08
As far as alternatives for SSL, I'm not the greatest expert at this, so it may be best if I don't answer this question with some silly ideas that may not benefit you at all. You may even consider asking a new question for this, because it is a totally separate problem from SQL injection. — GolezTrol, Dec 30 '10 at 22:10

PHP Security checklist (injection, sessions etc)

4 Answers4