Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security Checklist for PHP application 1

Status
Not open for further replies.

southbeach

Programmer
Jan 22, 2008
879
US
This is what I have in place:
(1) MySQL Database
(2) User must log in
(3) Ajax calls to validate all form submissions
(4) POST method
(5) Each time ajax call is made, $_SESSION is referenced to validate user
(6) JQuery is used as front end
(7) DB name, host, user and password is kept in a PHP script which is included as needed
(8) I am using a "procedural" approach to interact with Database
(9) I use mysqli
(10) Every DB query uses mysqli_real_escape_string()
(11) I use $_POST values in mysqli_real_escape_string()
(12) I escape every form input prior to sending data to PHP
Code:
var param='name='+escape( $('#name').val() );
(13) PHP sends data back in JSON or plain text with a predetermined field separator which I then reference to "split" the returned data
Code:
var response=ajax_response.split('~');
(14) Site where application is based, will use SSL
(15) pending to incorporate use of strip_tag() in DB queries

What am I missing? Where am I exposed? How can I test and make sure I'm secured?

Thank you all for reading through this lengthly post and for your continuous help!


--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.
 
(9) Rather that mysqli, I would recommend PDO. Parameterized queries handle any escaping you might need, and are awesome. Another plus is if you decide to change databases, PDO can usually adapt (assuming the appropriate DB drivers/modules are install on the server).

(10, 11) I would not use $_POST values directly as parameters to your queries, while good mysqli_real_escape_string should not be your only form of sanitization.

(11.A) Numbers should be validated as being numeric (I like to use ctype_digit for positive integers), emails as email addresses (regex), etc...

(13) Stick to JSON, you'll probably run in to edge cases using a split method (if not now, in the future). JSON is pretty well established, and both PHP and JavaScript can handle it well.

For the extra security cautious:
(7) A special user should be created just for this website, with only the access it needs (SELECT, INSERT, UPDATE, and DELETE - nothing else). If you need your site to be able to create the database, more is OK, just remember to revoke permissions afterward.
 
Thank Borvik!

It seems that I'm not doing all that bad!!!! ;-)

I am having issues with edge ... where users cannot log on - Good to know that this is due to the split() method.



--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.
 
NP. I can't say for certain your login issues are related to the split() - but if you were able to confirm that, glad I was able to help.
 
it is the only browser that fails.

I do not have MSW 10 and so have not been able to test but it has been reported.

--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top