General Security Questions about MySQL and PHP, Forms

Question

I am trying to develop a web application where the user enters data and retrieves it in a formatted manner in various sub applications within my site. Basically, it's a form heavy application. I use PHP, HTML and MySQL to develop it. I am hoping I can make it commercial one day. I am good enough to make the site function but As I develop it more, I want to think more about security. I also have an admin dashboard where I control and manage the main application.

So there are two applications, 2 MYSQL databases and information sharing between databases and tables. Programming language is not advanced at all (probably barely rookie level)

1. For Forms, before I send entered data to mysql to store, I use following;

   $lname = stripslashes($_REQUEST['lname']);
   $lname = mysqli_real_escape_string($concfc, $lname);
   

   Before I develop more forms, should I implement something else to increase? What other methods in general I can follow to increase security?

2. I use $_GET variables, pass variables through URL, like my question here.. There are a lot of talks about sanitizing it. I really dont know what that means, other than what I am doing for forms above.

3. Eventually, app will host (will most likely use third party provider to host) user uploaded documents to be used (send via email, keep an order of the documents etc) within application.

4. Is there anything else that I can start doing to make my application more secure? I hope that my questions are not so vague as I am trying to learn "best practices", at least for my level of programming knowledge. I am aware there is a lot of information on the web but I am really not sure which one is more suitable, necessary or applicable.

Thanks

Answer 1

Answering your questions with my knowledge of PHP and security programming for more than 10 years:

1) Your filter are basic, but effective to avoid SQL injection because you use mysqli_real_escape_string(). You need to keep in mind that you can't never trust the data received. At my systems I always sanitize all the data I need to process at top of code, for example:

<?php
$data = array ();
$data["name"] = trim ( ucfirst ( strtolower ( $_REQUEST["name"])));
if ( empty ( $data["name"]))
{
  die ( "User name is required.");
}
$data["age"] = (int) $_REQUEST["age"];
if ( $data["age"] == 0)
{
  die ( "User age is required.");
}
// and so on. If I receive an email, I validate it too. BTW, I always validate if a received value are completely valid, into a valid range, valid structure, etc.

After the sanitize, at the code I use from the $data[], which are the filtered and valid values received.

At the SQL query I use the mysqli_real_escape_string(). You could also use prepared statements.

2) When you use the GET method, your variables are clear to see at the URI. You also have a limitation of size.

The limit vary on server and client used (and if applicable, also the proxy the server or the client is using).

I.E. for example is limited to 2048 bytes (2KB), Opera in 4096 bytes (4KB) and Firefox in 8192 bytes (8KB), and most modern web servers have a limit of 8192 bytes (8KB).

Using POST should be preferred, when possible.

At PHP, you could access data through $_REQUEST, that mix $_GET and $_POST.

3) Remember to store it on disk. Database are created to store data, not documents. It's a common mistake.

4) Keep reading and looking for best practices. Store your user passwords using a secure hash (i recommend hash_pbkdf2()), use SSL, log every action made on your system to audit if necessary, keep all system backup up to date, control who can access your server, use firewall, check for login attempts, etc.

Hope this helps you, I know that this is far from a good compilation of measures to take, but it's a good start.