1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Creating secure php code

Discussion in 'Software Development' started by aewarnick, Aug 11, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    Anyone know tips on creating secure php code?
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    The golden rule is Never trust user input
    Anything the user enters needs to be checked before you use it.
    Look at the functions htmlspecialchars(), addslashes(), quotemeta(), and htmlentities()
    (used for sanitizing user input.)

    The user should never be able to enter something that could be executed by the server.

    Make sure the user can't enter anything that will be run directly in a database query without checking that data.

    If your site stores passwords, etc. in Cookies- you don't want the user to be able to pass a value in a form that will be inserted into the page without being "sanitized".

    Be careful with include()s and require()s. A variable that the user can change should never be run directly through these functions. Look into using ini_set('open_basedir').

    Don't run user inputted data directly through functions like system(), exec(), and eval().

    Check your mail() functions to make sure it can't be used for spam. Don't let the user directly change headers of the email, or the recipient.

    Remember that setting "length" of a form field to "10" isn't stopping anyone from entering more than 10 letters, giving a drop-down list with 5 options isn't stopping anyone from submitting another value, etc.
     
  3. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    Thanks! I'm worried I am using include to include a file with my username and password inside logging in functions. It is above public_html. Should I be worried?
     
  4. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    As long as users can't access that file, its fine. But if your script has another hole in it that allows a user to execute code remotely, the user could get the contents of that file. One hole in your script = the whole script is insecure.
     
  5. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    1. What access should I give my login file? Right now it's set to 644 like every file on my site.

    2. How could they execute code? By user input in a textbox?
     
  6. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    1. 644 will work fine, as your webhost probably has security measures in place so that other users can't access your files.

    2. Yes. Let's say you have a textbox that the user writes in, and that input goes directly through a function. THey may be able to put PHP code in that textbox that gets run on YOUR server.
     
  7. aewarnick

    aewarnick Thread Starter

    Joined:
    Sep 3, 2002
    Messages:
    828
    I see. Thanks!
     
  8. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
  9. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/389599

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice