Basic & essential security tips when handling forms in PHP

|
Thursday,3 February 2011 04 32 PM

Hello,

I am writing this post as I recently had a security hole in one of my scripts, which, fortunately, nothing bad happened. There are basic things you must always add to your PHP code when handling forms. I will tell you some very essentials that can’t be ignored to avoid SQL Injection attacks.

  • When passing forms that contain passwords or secure info, always make sure you use the $_POST instead of the $_GET array for passing the form to PHP.
  • After you’ve passed the info to PHP, don’t submit it directly to the DB. Always use mysql_real_escape_string() to prevent SQL injections. The function’s main function (sounds kind of weird..) is to escape certain characters to make it secure to go over a mysql_query().

An example of exploit: You got a User & Pass form. And after you submit the info it is received by the PHP script this way:

if(isset($_POST[‘submit’])) { //If submit button’s been pressed

$user = $row[‘username’]; //Friendlier to handle
$pass = $row[‘password’]; //Friendlier to handle

mysql_query(“SELECT * FROM users WHERE password=’$pass‘ AND username=’$user‘”); //Query

//Something else

}

What would happen if somebody inserts in the form, as username, the following: User: ‘ OR 1’. Writing OR 1, will always output true, so all the rows in the table users are going to be selected.

The correct form:

if(isset($_POST[‘submit’])) { //If submit button’s been pressed

//Adding the mysql_real_escape_string() to escape string

$user = mysql_real_escape_string($row[‘username’]);
$pass = mysql_real_escape_string($row[‘password’]);

mysql_query(“SELECT * FROM users WHERE password=’$pass‘ AND username=’$user); //Query

//Something else

}

  • I recommend developing with full error reporting. This is can be enabled by adding: error_reporting(E_ALL); at the top of your script. By adding this, you’ll see a notice when you try to call a variable that has not been previously defined. You might wonder what can happen if there’s a variable not declared before.. Well, simple, somebody can go to your website and do something like yourscript.php?variable=http://mywebsite.com/scripttohackyou.php.

Well that was pretty much everything that came up to my mind right now =), if I remember something or find out something, I’ll add it to the list. I hope this helps somebody out there, because it took me forever to color the code =P.

Any comment, suggestion, or question, please post it here. Or if you think I am missing something, please tell me, so I can add it.

Best Regards,

Richi

Looking for quality Clip-Bucket hosting? Try out Arvixe and you won’t be disappointed.
Tags: , , , , , , , , , , , , | Posted under Security/Vulnerability | RSS 2.0

Author Spotlight

Richi González

I started programming when I was 12. I'm a Developer and have been working with the Clip-Bucket script since it came out. I'm the Liaison between Arvixe and Clip-Bucket, so anything you need regarding Clip-Bucket or any particular computer-related subject you need, let me know so I can assist you.
|
Personal Website

2 Comments on Basic & essential security tips when handling forms in PHP

  1. Guillem says:
    February 3, 2011 at 4:40 pm

    I completely agree. I would add that for big projects using an ORM like Doctrine or some PEAR modules like DB_DataObject is a must. They are going to give you most of this security by default.

    Regards, Guillem.

    Reply
  2. Richi Glez says:
    February 16, 2011 at 1:16 pm

    Hello,

    Yes you’re right. This is like basic security you must have like by default in almost any script that handles forms or data.

    Regards,
    Richi

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *