12 {{ upvoteCount | shortNum }}
12 {{ upvoteCount | shortNum }}

PHP Scripts. How to secure them?

by duality32
10 replies
I have a php based game that I desperately need to know how to secure from sql, session hijacking, input/output replacements and the whole works. If anyone can help me out with this that would be great!

Also, I do have a little to teach people who can help me out.
#php #scripts #secure
  • Profile picture of the author shinepuppy
    Hey Duality. Just a few ideas from recent memory.

    session hijacking talk:

    You can regen session IDs with the following function:
    PHP: session_regenerate_id - Manual

    Like Samy says in his videos, find creative ways to create your own entropy.

    For SQL, use prepared statements (mysqli->prepare()):
    PHP: mysqli::prepare - Manual

    You can also pre sanitize your data before sending it to a prepared statement. Is the input supposed to be an integer? use preg_match('/\d+/', $whateverVar) to test it.

    User's inputting freeform text? Use strip_tags() to make sure they aren't injecting javascript or other nasty XSS hacks into their text blurb:
    PHP: strip_tags - Manual

    Protect your session_* files by storing them into your database instead of wherever your web host puts them (usually /tmp!!)
    PHP: session_set_save_handler - Manual

    Make sure your host uses suPhp so your scripts run only as you and not as 'nobody'

    Hope that gets you further along down the road.

    -Jason
    Signature

    Get your FREE Lifetime Affiliate Tracking System here

    {{ DiscussionBoard.errors[3391008].message }}
    • Profile picture of the author smartdoctor
      I am learning something
      Signature
      {{ DiscussionBoard.errors[3391568].message }}
    • Profile picture of the author myvps
      Originally Posted by shinepuppy View Post

      Hey Duality. Just a few ideas from recent memory.

      session hijacking talk:
      YouTube - Black Hat USA 2010: How I Met Your Girlfriend 1/4

      You can regen session IDs with the following function:
      PHP: session_regenerate_id - Manual

      Like Samy says in his videos, find creative ways to create your own entropy.

      For SQL, use prepared statements (mysqli->prepare()):
      PHP: mysqli::prepare - Manual

      You can also pre sanitize your data before sending it to a prepared statement. Is the input supposed to be an integer? use preg_match('/d+/', ) to test it.

      User's inputting freeform text? Use strip_tags() to make sure they aren't injecting javascript or other nasty XSS hacks into their text blurb:
      PHP: strip_tags - Manual

      Protect your session_* files by storing them into your database instead of wherever your web host puts them (usually /tmp!!)
      PHP: session_set_save_handler - Manual

      Make sure your host uses suPhp so your scripts run only as you and not as 'nobody'

      Hope that gets you further along down the road.

      -Jason
      thanks for your sharing.
      {{ DiscussionBoard.errors[3398505].message }}
    • Profile picture of the author Tashi Mortier
      Originally Posted by shinepuppy View Post

      You can also pre sanitize your data before sending it to a prepared statement. Is the input supposed to be an integer? use preg_match('/d+/', ) to test it.
      Thanks for all the great tips, but why not use specialized functions like PHP: is_numeric - Manual for this task? While security is important you should also keep performance in mind.

      Take the following basic guideline, Duality.

      VALIDATE and FILTER everything that comes in and FILTER everything that you put out there.

      You can never trust any data that can be submitted to your webserver. So never put any $_GET variables or $_POST variables directly into database queries.

      Also you should always filter your output since you can never be sure whether some JavaScript snippet made it inside the database somehow.

      Because those tasks can be quite tedious I enjoy using Zend Framework as it has helper functions included for all of them.

      I'd also recommend that you read the OWASP Top 10 Report. This is a report that explains the top 10 most critical web application security risks and that is a document that every web programmer should know.
      Signature

      Want to read my personal blog? Tashi Mortier

      {{ DiscussionBoard.errors[3457539].message }}
  • Profile picture of the author jminkler
    Run skipfish on the site.

    skipfish - Project Hosting on Google Code

    Of course you will need somebody to tell you what the vulnerabilities mean, and how to fix them.

    I am willing to bet, if this was coded by a freelancer you have at least 10 holes. Let me know if you need any help plugging them up.

    (the last person I ran this for, I was able to enter bogus form data and take down his ENTIRE SITE)
    {{ DiscussionBoard.errors[3399704].message }}
  • Profile picture of the author duality32
    Thanks for all the information! Now I get to learn how to do it. Thats the most exciting part. Thanks!
    {{ DiscussionBoard.errors[3400379].message }}
    • Profile picture of the author AubreyWebWhiz
      Weehhh! Thanks for this great post Duality. Great tips!!!!
      {{ DiscussionBoard.errors[3455020].message }}
  • Profile picture of the author andreasnrb
    First things first use SSL.
    Use PDO for database interaction.
    Check out the sanitize and validate capabilities in PHP. Sanitize and Validate Data with PHP Filters | Nettuts+
    Get someone else to review your code.
    {{ DiscussionBoard.errors[3458787].message }}
  • Profile picture of the author duality32
    Is anyone here willing to review my code?
    {{ DiscussionBoard.errors[3839236].message }}
  • Profile picture of the author reynoldscorb
    Definitely secure your SQL calls. Don't want some jerk coming in and wiping your database clean.

    There's a few SQL calls you can call to fix that, might want to start with mysqli_real_escape_string.
    {{ DiscussionBoard.errors[3850305].message }}

Trending Topics