PHP, Security and Where am I

[Hax Or]

There's some good info here! Thanks!

I'm working on XSS fixes for a PHP website, and I'm working on fixing all pages where content is encoded for UTF-8, but the Meta tag specifies charset ISO-8859-1.

Third, I'm searching for php_version at: http://www.saintcorporation.com/cgi-...=cve_2006.html to determine what fixes need to be applied.

My question is: What do you think of Sohusin or the Hardened PHP Patch? It seems good, but the forums are dead as if no one is using it.

I'm an ASP/.NET/PHP developer, and I'm supporting a PHP webform app that is riddled with XSS problems (according to Acunetix Web Vulnerability Scanner). I never got this deep into PHP security (unlike .NET).

Any recommendations for me?

[kgun]

Yes, there are a lot of good libraries. Click the last link in my signature. In addition, I can recommend this

The PHP Anthology: 101 Essential Tips, Tricks & Hacks, 2nd Edition - SitePoint Books

book.

Note security is more related to the programmer than the language.

General security advice:
If you have the option to choose between usning a programming solution or a web server configuration, choose the last. It is on the lowest level and generally more secure.

Web server security should be the first layer in any website.

[Hax Or]

Thanks for the links.

I'm looking for methods of mitigating all of the vulnerabilities that cannot be patched, instead those that require coding a different way (like using eregi vs. replace).

Moving to PHP I need to get better at RegEx. So far I've created a base class and several classes that inherit the base class for my website. I'm using MySQL and SQL (with ADODB code that someone kindly wrote).

So it seems like most of the code would already be written, but is it secure?

I'll pass on your recommendation to the Network Administrator for the server, and it sounds like we may need to collaborate more.

Thanks again.

[kgun]

Send form data with PHP

Var regex = new RegExp("string");

How it is done in JavaScript.

Related:
Using Regular Expressions in PHP [PHP & MySQL Tutorials]

Regular Expressions in JavaScript [JavaScript & AJAX Tutorials]

[Easywebdev]

You only need to consider three things when talking about secure php programming.

1. Data Input (session hijacking, sql injections, poisoned variables).
2. Data Output of Input (XSS-cross site scripting).
3. Server Side Security and php.ini

1.
Session Hijacking
Use a database to store session data, do not use the native session storage method as this can lead to hijacking and session fixation.

SQL Injection
Always use a databases native escaping routine such as mysql_real_escape_string() do not use addslashes() or stripslashes() as they do not take into consideration the language in use whereas mysql_real_escape_string() does. This stops all sql injection attacks dead in their tracks.

Poisoned Variables
Turn off register globals and initialize all your variables.
If you use a variable $a then use $a=0 or $a="" at the top of your script, you never know when a host might enable globals so be safe, especially if your software is commercial.

2.
Data output of Input
Never ever directly echo() or print() input from $_GET, $_POST, $_COOKIE, $_REQUEST arrays. Always use htmlspecialchars and htmlentities to encode such data.

3.
Server Security and php.ini
You should disable the following function - urlfopen, exec, system, shell_exec, dl, passthru unless you specifically need them and run your own server.

Install suphp or phpsuexec to have php scripts run under their users permissions.

Kgun mentioned a good book, another is essential php security by Craig Shifflett. You should also take a look at his php security blog Chris Shiflett: PHP and Web Application Security

[kgun]

Great and structured post.

Quote:

Originally Posted by Easywebdev

Kgun mentioned a good book, another is essential php security by Craig Shifflett. You should also take a look at his php security blog Chris Shiflett: PHP and Web Application Security

Is Craig Shifflett and Chris Shiflett the same person?

"The secret to creativity is knowing how to hide your sources" - Albert Einstein.

Now I know why I am not creative. I am too open on my sources. The surfer is the boss.

[Easywebdev]

Yep, same person, well there isnt two people just Chris Shiflett. Posted that in the morning without my coffee .

[mikesmith76]

Great posts so far, just like to add a couple that may be of interest

PHP Security Consortium - Shame its not been updated for a while but still a worthwhile lead

The Unexpected SQL Injection - Detailed paper on SQL injection and some specific examples for PHP / Mysql

PHP Developers Network - Security forum on PHP developers network, has a number of links to other useful documents

Hopefully someone will find these links useful