• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
PHP Security?

#1
[eluser]mzuser[/eluser]
I recently stumbled across a few firefox plugins for checking the security of your website. I tried it on a site I'm developing and the results are bad. Even cleaning my inputs and such, it was able to access my database. It was able to hijack my session. So now I'm super paranoid and want to find out more on how I can fix and prevent flaws.

So I'm just looking for any best practice advice or websites. I looked up a few myself but the articles were from a while ago and I'm not sure if the information is still relevant.


Should I be using a session token when creating logins? Is there a better way to protect sessions?

#2
[eluser]mzuser[/eluser]
An example of the function I use to clean inputs before validation.

Code:
function clean_recursive($value)
    {
       if (is_array($value)) {
          foreach($value as $k=>$v) {
             $value[$k] = clean_recursive($v);
          }
       } else {
          if(get_magic_quotes_gpc() == 1){
             $value = addslashes($value);
          }
    
          $value = trim(htmlentities($value,ENT_QUOTES,"utf-8")); //convert input into friendly characters to stop XSS
              $value = strip_tags($value);
              $value = mysql_real_escape_string($value);
          
       }
       return $value;
    }

#3
[eluser]pickupman[/eluser]
Just out of curiosity, what plugins where they? I would be interested to run it as well on a site just to compare results.

#4
[eluser]mzuser[/eluser]
XSS Me
SQL Inject Me
Access Me

all from a company called Security Compass

#5
[eluser]pickupman[/eluser]
Tried them out on a site I am currently developing. It passed other than the Access Me using the SECCOMP method, which isn't exactly explained. I received a few warnings in regards to the sql injection, but the warnings are reporting a server response 302. I am fine with that. It passed the XSS stuff as well.

#6
[eluser]mzuser[/eluser]
I passed with the XSS but I had a bunch of warnings. I had the SECCOMP thing as well, it sounded like it was able to access my page.

I don't have to worry about those 302 warnings?

#7
[eluser]pickupman[/eluser]
[quote author="matthewordie" date="1277251581"]I passed with the XSS but I had a bunch of warnings. I had the SECCOMP thing as well, it sounded like it was able to access my page.

I don't have to worry about those 302 warnings?[/quote]

That should mean the plugin is receiving a temporarily unavailable message which is not a 200 success. That should be a good thing.

#8
[eluser]mzuser[/eluser]
Ah good, then maybe I'm not in as bad of shape as I'd thought. Thanks for clearing some of this up for me


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme © 2014 iAndrew  
Powered By MyBB, © 2002-2020 MyBB Group.