+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Development & Programming (https://forum.codeigniter.com/forumdisplay.php?fid=23)
+--- Thread: PHP Security? (/showthread.php?tid=31512)
PHP Security? - El Forum - 06-22-2010
[eluser]mzuser[/eluser]
I recently stumbled across a few firefox plugins for checking the security of your website. I tried it on a site I'm developing and the results are bad. Even cleaning my inputs and such, it was able to access my database. It was able to hijack my session. So now I'm super paranoid and want to find out more on how I can fix and prevent flaws.
So I'm just looking for any best practice advice or websites. I looked up a few myself but the articles were from a while ago and I'm not sure if the information is still relevant.
Should I be using a session token when creating logins? Is there a better way to protect sessions?
PHP Security? - El Forum - 06-22-2010
[eluser]mzuser[/eluser]
An example of the function I use to clean inputs before validation.
Code:
function clean_recursive($value)
{
if (is_array($value)) {
foreach($value as $k=>$v) {
$value[$k] = clean_recursive($v);
}
} else {
if(get_magic_quotes_gpc() == 1){
$value = addslashes($value);
}
$value = trim(htmlentities($value,ENT_QUOTES,"utf-8")); //convert input into friendly characters to stop XSS
$value = strip_tags($value);
$value = mysql_real_escape_string($value);
}
return $value;
}PHP Security? - El Forum - 06-22-2010
[eluser]pickupman[/eluser]
Just out of curiosity, what plugins where they? I would be interested to run it as well on a site just to compare results.
PHP Security? - El Forum - 06-22-2010
[eluser]mzuser[/eluser]
XSS Me
SQL Inject Me
Access Me
all from a company called Security Compass
PHP Security? - El Forum - 06-22-2010
[eluser]pickupman[/eluser]
Tried them out on a site I am currently developing. It passed other than the Access Me using the SECCOMP method, which isn't exactly explained. I received a few warnings in regards to the sql injection, but the warnings are reporting a server response 302. I am fine with that. It passed the XSS stuff as well.
PHP Security? - El Forum - 06-22-2010
[eluser]mzuser[/eluser]
I passed with the XSS but I had a bunch of warnings. I had the SECCOMP thing as well, it sounded like it was able to access my page.
I don't have to worry about those 302 warnings?
PHP Security? - El Forum - 06-22-2010
[eluser]pickupman[/eluser]
[quote author="matthewordie" date="1277251581"]I passed with the XSS but I had a bunch of warnings. I had the SECCOMP thing as well, it sounded like it was able to access my page.
I don't have to worry about those 302 warnings?[/quote]
That should mean the plugin is receiving a temporarily unavailable message which is not a 200 success. That should be a good thing.
PHP Security? - El Forum - 06-22-2010
[eluser]mzuser[/eluser]
Ah good, then maybe I'm not in as bad of shape as I'd thought. Thanks for clearing some of this up for me