[PHP] Secure your data

[el_jentel1]

One of the biggest concerns of all developers or any webmaster running a custom script (no support for it) is security, and since hackers are making sure to reach every hole, we need to make sure it's closed before they reach it.

If you run your inputs through a database or just temporarily displaying it on your website, or even executing shell commands, you need to make sure that your entries are escaped, or clean in other words.

Some of the most common functions to clean or escape in PHP are:

• myql_real_escape_string()
• htmlentities()
• htmlspecialchars()
• strip_tags()
• stripslashes()
• urlencode()
• rawurlencode()
• And so on...

These function are very useful, most of the time, but they are very general. It is always best that you validate your data exactly as required, for example, let's say you have a public input which requires the page number to display, the entry needs to be an integer, so we validate it.

There are many ways to validate entries, whether with functions already made by PHP, type juggling or using regular expressions (regex).

Some of the useful functions are:

• intval()
• is_float()
• is_numeric()
• is_string()
• And so on...

Or in type juggling:

• (int)
• (bool)
• (float)
• (string)
• ...

You should make use of all that, it'll save you a lot of time and will make sure that your entry is clean, for example, let's say you have a public $_GET or $_POST, the purpose of it is a poll or a survey if you will, asking the user "How many times have you visited my site today?"

If you pass this into the database without any validation, malicious code can be executed, example.

PHP Code: 

$entry = $_GET['vote']; // ?vote={MALICIOUS_CODE} 


That will be executed and causing your database to malfunction, depending on the malicious code of course, deleting, dropping or editing entries in database.

If we add (int) right before $_GET it'll basically switch the type to integer, and only returns an integer.

PHP Code: 

$entry = (int) $_GET['vote']; 


If you want to make your validation public and display errors, you could do something like:

PHP Code: 

if ( !is_numeric($_GET['vote']) )
{
    // Display error 


Notice the "!" before is_numeric(), it basically means "not integer, or not equal to, not set..." however you want to word it. So "!" is "NOT" in short.

What about validating regular strings? for example you have a script which has a registering system on it, of course you should always use mysql_real_escape_string() for that, but why not do extra validation to be extra safe.

In this situation we use regex (regular expressions) very useful, let's look at this example:

PHP Code: 

if ( !preg_match('/^\w+$/i', trim($str)) )
{
    // Display error 


A couple of things to notice here, first the preg_match() function, this function basically matches regex as you defined it to the entry added, in this case we're asking PHP "Is the entered string consists of a-z A-Z 0-9 or _ or not?"

This is very useful for user name validation, even though you could code another version that accepts all types of characters (using some of the functions we mentioned earlier) but a user name only needs those characters, mostly.

Another thing to notice are the ^ and the $ signs, ^ means "start" and $ means "end", basically telling it that string starts with that and ends with this.

The trim() function removes all extra spaces from left/right of the entry so " string " will become "string".

Here is a basic list of the most common expressions used:

• \d: Matches digits, equivalent to [0-9]
• \w: Matches word characters and underscore, equivalent to [a-zA-Z0-9_]
• \s: Matches space, new line and tab.

With regex the possibilities are endless, you can validate a URL, email, user name, string and how many characters allowed in each constant (minimum and maximum).

You can easily find detailed tutorials about regex by searching Google.

Other areas that need to be secured are when you execute system functions, whether publicly or internally. Functions like system() and exec() which are used to execute system commands also need to be escaped.

Of course you can use the same methods we mentioned before (ie: regex) to validate data through system functions, however, thanks to PHP, they have made special functions to escape commands in system functions, for example:

• escapeshellarg()
• escapeshellcmd()

The function escapeshellcmd() escapes more characters than escapeshellarg().

Even if you use those functions, it's always a good idea to make additional validation to make sure that the entry passed is exactly as you want it.

Conclusion: always make sure that you secure your data, this is for your own good and of course the users viewing your website, and if a hacker managed to get into your scripts, don't give up, this just gives you more power because you'll be learning new things, thus making your scripts more powerful.

Thank you.

Article by: el_jentel1

el_jentel1 Reviewed by el_jentel1 on 21st Jun 2010. [PHP] Secure your data One of the biggest concerns of all developers or any webmaster running a custom script (no support for it) is security, and since hackers are making sure to reach every hole, we need to make sure it's closed before they reach it. If you run your inputs through a database or just temporarily displaying it on your website, or even executing shell commands, you need to make sure that your entries are escaped, or clean in other words. Some of the most common functions to clean or escape in Rating: 5

[bxflow]

Thank you for this, I wish I understood all this coding more

[BadLuckGuy]

wow Gr8 Article.
Thaaanks
I already use some of these now will use these tips too.
its really important to validate the form contents with php and put some security measures.
As some guys just validate forms using javascript and dont validate it server-side Its a real security threat because a hacker can still send anything malicious.

[tom247]

thanx elj

[Hyperz]

Useful guide indeed .

[desiboy]

Nice article..
in search forms, many forget to put some kind of filtering, resulting in XSS .
htmlentities() , is pretty good to block XSS to certain extent.

[Robin H]

nice OP

[litewarez]

The way i prefer to do things is to check all data that can be inputted via GET/POST.

The way i do this is create a class that will recursively check the inputted userdata before we use anywhere within application.

A simple class can do this, taking into note the class below is an example, and is only for informational purposes.

PHP Code: 

class Input
{
    var $get,$post,$cookie; //Cleaned (Not DB)
    var $_get,$_post,$_cookie; //Uncleaned / RAW

    function __construct()
    {
         $this->clean();
    }

    private function clean()
    {
         //Keep the raw stuff in there designated variables.
         $_get = $_GET;
         $_post = $_POST;
         $_cookie = $_COOKIE;
   
         //Clean them and assign the data to the designated variables;
         $get = $this->escape($_GET);
         $post = $this->escape($_POST);
         $cookie = $this->escape($_COOKIE);
    }

    public function __get($type)
    {
        return isset($this->{$type}) ? $this->{$type} : array(); // usage: $input->get->some_key
    }

    public function escape($var)
    {
         $return = array();
         foreach($var as $key => $val)
         {
              if(is_array($val))
              {
                   $return[$key] = $this->escape($val);
              }else
              {
                   $return[$key] = htmlentities($val); //MORE WORK HERE
              }
         }
         return $return; //Return it;
    }
} 


so from now on if you use this class to get your GET/POST/COOKIE Vars, all the values are pretty safe, altho you still need to use a Database Escape Fuction. Read El_j's thread above.

Doing your escaping this way reduces the amount of code you need to write as its all done for you,

Peace

[jayfella]

i dont mind saying i have no idea what all this is about, but its very nice to see the community pull together and teach each other tricks of the trade.

KWWH

[litewarez]

Basically jay its general application security..

In PHP theres several factors that of security that ALWAYS needs to be addressed,

The 2 main are XSS (Cros Site Scripting) witch can be prevented by turning characters such as ' and " int there html entites & qoute; etc. this is what my other post deals with. turns all user inputted data such as index.php?key=some_user'data"with\'SomeChars into a safe escaped string to use, this will help prevent XSS

The other is database injections, this is when you take lets say an id from an url such as index.php?id=2 and use the $_GET['id'] in php to check the database. that id=2 could easily be changed into something that can get you hacked ie (id=-1' OR DELETE xxx FROM xxx\).

If you want to look up more information on this just google SQL Injection you will find plenty of basic outlines.