1

I hope this question isn't too stupid of one. I'm new to PHP and am interested in designing a system for internal staff usage. (So all users are trusted - and any of their inputs will go through PDO)

This system will be hosted on the Internet however.

Would simply using PDO, .htaccess (to restrict directory access), and redirecting users upon failed login (so users without an account cannot get to any page other than the login page - hence restricting input based SQL injections from attackers..?) be enough for the site to be hosted online?

Did not consider using a framework, but am wondering how exactly it would work for a website that doesn't allow the public to see anything other than a login page? (At least that's what I think?)

For .htaccess, 

deny from all

is used.

For my index.php, it creates a new Template Controller class

$template = new TemplateController();
$template->template_controller();

The TemplateController class follows:

<?php

class TemplateController
{

    public function template_controller()
    {

        include "views/template.php";

    }

}

Then finally the template.php has

if (isset($_SESSION["loggedIn"]) && $_SESSION["loggedIn"]) {
    if (isset($_GET["route"])) {
        if ($_GET["route"] == "home" {
            include "modules/" . $_GET["route"] . ".php";
        }
    } else {
        include "modules/404.php";
    }
} else {

    include "modules/login.php";
}

to handle redirecting of users who are not logged in. Modules are only included if the user has a valid session.

So with this structure, how would a website get attacked if perhaps I'm using a virtual private server plan to host this over a domain? Just wanted to know how a framework would differ from a setup like mine.

Thank you in advance!

EDIT: I've neglected to mention how the login page is secured.

I'm using preg_match to do so.

if (preg_match('/^[a-zA-Z0-9]+$/', $_POST['inUsername']) && 
preg_match('/^[0-9A-Za-z!@#$%^&*(),.<>?\/\-_=+ ]+$/', $_POST['inPassword']))
Lawrence Lim
  • 11
  • 2
  • You should never be [restricting passwords]([Cleansing User Passwords](https://stackoverflow.com/a/36628423/1839439)) input in any way. If the users would like to authenticated using their own bone marrow - let them! Restricting input is not usually a good security measure. – Dharman Jun 27 '19 at 22:26
  • What exactly are you trying to secure against? The use of your software by other people? Don't address security in this opaque way. If you know you have a security vulnerability somewhere then you should fix it as soon as possible. – Dharman Jun 27 '19 at 22:28
  • If you are going to let users decide what PHP code you let them execute you should use white list to explicitly list out all the possible commands/routes you allow the users to execute. Doing `include "modules/" . $_GET["route"] . ".php";` is never recommended, whether the user is logged in or not. – Dharman Jun 27 '19 at 22:30
  • 1
    For what I'm trying to secure against: XSS, CSRF, and all the security issues i've been reading about for a website. Not sure if these attacks can be done if the attacker isn't able to see anything more than the login page? Am unfortunately not experienced enough to know, and its been a bit of a challenge looking for a specific question like this With regards to that GET command, is that because the GET query is sent as a string which opens me up to an attack? – Lawrence Lim Jun 28 '19 at 03:14
  • They can be done even if attacker doesn't have access or is someone you know. There are known methods for each one of these attacks to protect against. – Dharman Jun 28 '19 at 10:17

1 Answers1

0

Who would attack you internally. Just fire them.

Make sure that you escape and sanitize or validate every use input that needs to be saved in the DB.

Also, make sure that you won't print stuff that comes out of the DB directly on a web page. You cannot trust anything directly coming from the DB. You have to escape them before rendering them.

And use prepared statement whenever you can. It takes care of a many security related escaping when inserting something in the database or even when passing an argument for the WHERE clause of your query for example.

asiby
  • 3,229
  • 29
  • 32
  • Thank you for the response! I wouldn't be too worried about internal attacks but rather, would the public be able to attack a website that they can only see the login page of? (and hence only be able to use the username/password input fields) Since the website would be hosted on a public domain. Also, noted with regards to your suggestions! I will remember to escape all the content from the DB, as well as sanitize the input fields. And Prepared statements are 100% used all the time via PDO :) – Lawrence Lim Jun 27 '19 at 20:36
  • "Who would attack you internally?" -- An attacker who has gained access to your network? –  Jun 27 '19 at 21:08
  • Even the developer himself might be attacking his own code unknowingly. If the code has vulnerabilities sometimes they might be abused accidentally. Basically vulnerability is usually a software bug. – Dharman Jun 27 '19 at 22:22