Web Security – The Big Picture

These days I am into studying about Web Security(under the Web Security course module of the Northubria University- MIS) and found it is so interesting. Therefore I think of writing a little about the Web Security. Being specific I try to write appropriately to PHP.

In world wide web, this can be found as PHP hack and I was interested in getting knowing how the PHP hack can be eliminated. Knowing those are very important and that will help you to design and develop a PHP hack free web site if your scripts are in PHP. When reading keep in your mind that I am new to those stuffs.

There is no use of talking about SQL Injection attacks as nobody now use eval to process form’s data. Therefore for the time being I skipped that and if you are interesting enough please google.

Forms fields are an important place where the developers should have good attention. For an instance lets consider the following situation. A field where use to enter the address of the user. The entered values are checked against a length and if the ore0defined length is exceeded it is considered that the input is valid. However this seems pretty enough to verify that the user enter his address as long as the address doesnt carry and defined format. Bare mind I am talking about his snail mail address. Even tough it is validating the input it doesnt verify that the input is risk free.

What happen if a user added some HTML or Javascript code, then the code is stored in the database and rendered when data is requested. That can lead to serious problems. Therefore the possibility to enter markups or codes should be eliminated.

With no sofisticated functions that can be achieved using simple str_replace. Following code will do what is needed.

str_replace(‘<','',$_POST['address']);

If you like following function are also in your side. Please try them and see.

strip_tags()
nl2br()
htmlspecialchars()

Further please do not use eval() function if you dont have much understanding about the function or related security risk. My free advise is use eval if you have no choice ONLY. Not only that but also following functions as well, system(), passthru() and exec().

Another important function is escapeshellarg(). There any ', ; or " is replaced with \' , \" , \;

Avoid using GET to send form data and use POST method instead. However in some situation POST is not possible, unless in such situations always try to use POST method for form data submission.

With experience I knew that most of the developers limit the size of the form in HTML interface and never try to check it again in the server side. They use Javascript to check the length on the client side and never check it again in the server side.

This is not a good practice, each and every test you perform on the client side should be followed on the server side as well. Otherwise intruders can bypass the browser and send false info to the server as long as the server is blind and not checking the input, thinking checking them on the client side would be enough. Therefore you need to have better security not only on the client side but mostly on the server side.

Looking forward to write more soon, keep reading . .

Advertisements

Please add your valuable idea below, will make a discussion, thanks !

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s