CodeIgniter Forums

Full Version: PHP Security?
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]mzuser[/eluser]
I recently stumbled across a few firefox plugins for checking the security of your website. I tried it on a site I'm developing and the results are bad. Even cleaning my inputs and such, it was able to access my database. It was able to hijack my session. So now I'm super paranoid and want to find out more on how I can fix and prevent flaws.

So I'm just looking for any best practice advice or websites. I looked up a few myself but the articles were from a while ago and I'm not sure if the information is still relevant.


Should I be using a session token when creating logins? Is there a better way to protect sessions?

El Forum

[eluser]mzuser[/eluser]
An example of the function I use to clean inputs before validation.

Code:
function clean_recursive($value)
    {
       if (is_array($value)) {
          foreach($value as $k=>$v) {
             $value[$k] = clean_recursive($v);
          }
       } else {
          if(get_magic_quotes_gpc() == 1){
             $value = addslashes($value);
          }
    
          $value = trim(htmlentities($value,ENT_QUOTES,"utf-8")); //convert input into friendly characters to stop XSS
              $value = strip_tags($value);
              $value = mysql_real_escape_string($value);
          
       }
       return $value;
    }

El Forum

[eluser]pickupman[/eluser]
Just out of curiosity, what plugins where they? I would be interested to run it as well on a site just to compare results.

El Forum

[eluser]mzuser[/eluser]
XSS Me
SQL Inject Me
Access Me

all from a company called Security Compass

El Forum

[eluser]pickupman[/eluser]
Tried them out on a site I am currently developing. It passed other than the Access Me using the SECCOMP method, which isn't exactly explained. I received a few warnings in regards to the sql injection, but the warnings are reporting a server response 302. I am fine with that. It passed the XSS stuff as well.

El Forum

[eluser]mzuser[/eluser]
I passed with the XSS but I had a bunch of warnings. I had the SECCOMP thing as well, it sounded like it was able to access my page.

I don't have to worry about those 302 warnings?

El Forum

[eluser]pickupman[/eluser]
[quote author="matthewordie" date="1277251581"]I passed with the XSS but I had a bunch of warnings. I had the SECCOMP thing as well, it sounded like it was able to access my page.

I don't have to worry about those 302 warnings?[/quote]

That should mean the plugin is receiving a temporarily unavailable message which is not a 200 success. That should be a good thing.

El Forum

[eluser]mzuser[/eluser]
Ah good, then maybe I'm not in as bad of shape as I'd thought. Thanks for clearing some of this up for me