Honesty Rocks! truth rules.

Securing A Php Script Proccessing Input I need help and advice

HOME      >>       Programming

shadowx

Hi everyoneI like to experiment with php, been doing so for about a year but im not clued up on security yet, i can use str_replace() to take out parts of strings i dont want like html and JS code inserted by users, and i know how to use stripslashes to take out slashes from input strings but this doesnt seem to be lock-tight security to me. There has to be something more to protect my scripts against malicious users.I belive its possible to use the "or_die()" function for connecting to an sql table to prevent the error messages being shown to users, as error messages can be a great help to a hacker. Anything else i can do to protect my databases?The main thing im worried about is having a guestbook on my pages, which i do have and it gets spammed alot because of stupid kids at my college but i remedied that, i just havent cleared up. So is there a way of preventing this spam? I could detect their ip and black it for about 5 minutes to prevent flooding of the guestbook and use my cpanel to permanently block ips if i have to. And also worried about people injecting code into the input box to screw the PHP, ive used the search and replace method to strip off html etc.. and its stored as a flat text file so html shouldnt work anyway. Does storing the guestbook content as a flat text document prevent users from inserting any type of code into my pages? I guessed it should do but im not too sure. I feel confident with everything else except security!


ghostrider

There is a function in php called striptags() that removes all HTML from a string. This will also block out any Javascript because you need the script tag to write JavaScript. The link below explains the function.

http://us2.php.net/manual/en/function.strip-tags.php

As for blocking IP addresses, I would simply have a MySQL database and fill it up with IP addresses that are blocked and then check each time the page loads to see if the IP is blocked, and whether it has been 5 minutes or not. Another thing you could do is have the guestbook script email you to make sure it isnt spam, and then write another script that adds it to the guestbook, however this isn't exactly the fastest routine and requires some work on your part. Blocking IPs permanently doesn't sound like the best idea to me, remember IP addresses can change. If you need any help feel free to PM me.


shadowx

I think ill definately use the striptags() as it will save me a lot of manual stripping (of tags!) using string replace. Thanks for that.And its true about IP's, one major pain in the neck, some ISP's give their clients different IP's every time they log on which is annoying. I blocked my college from accessing the site and that IP address doesnt change because they have a T1 or similar connection and its always on so as far as i know its got a static IP.I could of course check the guestbook often but im lazy and i figure computers are here to do my work for me!


Lyon2

You can use all that, and or you can use a program or script to encrypt the php source code, like for instance:PHP Code ObfuscatorSourceGuardian ProI have both, and the first is a php script, a very good script, that can encrypt php source code to a simple or advanced encryption method, anyway, it can even reduce the size of your php page/script with the encryption.SourceGuardian pro is also very good, you have more functions, more features.


electron

I recommend the use of HTML Entities - htmlentities()

THis is more advanced and uses the HTML Transational table-get_html_translation_table().

htmlentities() has three QUOTE STYLE contents.It means you can also convert ' & " to HTML code so PHP doesnt get confused.

Find full information on it :
http://in.php.net/htmlentities

You can also reconvert it to HTML.

So use this as it is better.
Hope this helps.


FLaKes

Dont forget about the mysql escape string function for security against sql injections. There is this really nice explanation in the php.net function documentation here:

http://forums.xisto.com/no_longer_exists/

Then you should scroll down to half of the page where the best practice example is.

Also there is this function called md5, you should search it in the php.net webpage, its for encrypting data, but Im investigating it right now, so I cant really tell you much about it right now.


shadowx

Ahh thanks some very good functions ill definately use there! I also stumbled accross a site im reading at the moment and thought id share it with you all, heres the link http://phpsec.org/ its a site dedicated to php security and is very usefull!

Thanks for the functions ill check them out properly very soon!


wappy

very interesting. I think i will be using some of these functions on my community site when i get more time. Also if your really worried about being hacked or have a persistent hacker stalking you its a good idea to use the robots.txt file to stop search engines like google searching your code, i have been google hacked twice in the past and had some very unique and private wap scripts made public and it made me very angry after working for months writing my own chat, toplist, and other big scripts. Word.