Results 1 to 4 of 4
  1. #1

    The 6 worst sins of security

    Hi,

    since certain security vulnerabilities are so common that you have to start almost every reply with the same warnings and explanations, I thought it makes sense to collect all the info in a kind of “FAQ”.

    The links below point directly to the particular issues, so you can use them in your replies if you want to.

    Feedback would be great! I’ll happily rectify my mistakes.


    This is not a tutorial on web security, because it doesn’t cover things like file permissions or configuring the webserver. It’s only a list of common mistakes within PHP code. For more detailed and comprehensive info, check the OWASP.


    1. Don’t insert raw values into query strings.

    2. Don’t output raw values or insert them into the HTML page.

    3. Don’t display internal error messages.

    4. Don’t store passwords as plaintext or weak hashes (MD5, SHA-2 etc.).

    5. Don’t allow actions solely based on the login status.

    6. Don’t use weak random numbers for critical procedures.

  2. #2
    Junior Member
    Join Date
    May 2015
    Posts
    0

    The 6 worst sins of security

    1. Don’t insert raw values into query strings.

    If you build query strings from SQL commands and raw user input, attackers can manipulate the queries in order to fetch or change critical data or even access the underlying server (see SQL injection).


    What you should not do:

    Have a look at the following code, which is supposed to display blog entries of a certain category specified by a URL parameter:
    PHP Code:


  3. #3

    The 6 worst sins of security

    Since the literal content of cat_id gets inserted into the query string, this can be used to inject the following SQL code and change the original query:
    Code:
    '
    UNION
    SELECT
    user_id
    , email_address
    , password_hash
    FROM
    users
    --

    The resulting query will then display all user passwords instead of the blog entries:
    Code:
    SELECT
    entry_id
    , title
    , entry_text
    FROM
    blog_entries
    WHERE
    category = ''
    UNION
    SELECT
    user_id
    , email_address
    , password_hash
    FROM
    users
    --
    '

    Note that this is a naive and relatively “harmless” example. Actual SQL injections can be much more sophisticated and might compromise the whole server. So it’s very important to protect your application against those kinds of attacks, even if you’re not dealing with critical data.

  4. #4

    The 6 worst sins of security

    What you should do:

    The safest and most foolproof way of preventing SQL injections is to use prepared statements. A prepared statement is a kind of query template with parameters, which allows you to safely pass values to the query.

    Prepared statements are available through any of the new database extensions. The old MySQL extension (mysql_connect, mysql_query etc.) does not support prepared statements. But since it’s deprecated, it shouldn’t be used for new projects, anyway. If you have to use the old extension because of legacy code or an outdated PHP version, check the fallback below.

    Using the PDO interface and prepared statements, a secure version of the above code might look like this:

    database.inc.php
    PHP Code:


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •