PHP Security - Part Two
Devolio
Popular Posts
Tools and Tips
Search
Sunday, October 7. 2007
PHP Security - Part Two
This is part two of PHP Security basics. In this part, we'll be talking about validating integers better, validating strings with regex, hashing sensitive information, and webserver security.Convert your strings into integers
There are a few other ways to make sure that your scripts only process the right type of information. For instance, if you're setting a $_GET for a page number, it will always be expecting an integer.$var = “3 small words”;
(int)”$var”;
Would return 3. A simple yet effective way to make sure you always get an integer.
Keep your private stuff private
Most browsers will load a .inc file just like a .txt file, even .lib in others. Not good at all, there are some things you will inherantly want to keep private, regardless of what you're doing. To fix this in apache, you could use the following...<Files ~ “\.inc$”>
Order allow, deny
Deny from all
</Files>
In your httpd.conf file.
Validating strings with Regular Expressions
Regular Expressions, or regex for short, is a challenge to learn, but can be very rewarding to learn as well. Regular Expressions are a description of a pattern in a string. For example, there are simple ways to check for cases used often...$validLogin = ereg($postvar, '[[:alnum:] _-]{6,40}');
if (!$validLogin)
{
// not valid
}In this example, if the $_POST username is alphanumeric, does not contain spaces, underscores, or hyphens, and is between 6 and 40 characters in length, it will validate correctly. Another example would be an email address...
$validEmail = ereg($postvar, '[[:alnum:]._-]+@[[:alnum:]-]+\.([[:alnum:]-]+\.)*[[:alnum:]]+');
You can learn more about Regular Expressions here.
Hashing sensitive information
Passwords and other sensitive material should always be hashed, just in case someone should gain access to your databases. While I prefer cryptographically secure hashes, you can generate many kinds with php. A few examples are...$word = “testhashing”;
echo hash('sha256', $word);
echo hash('sha512', $word);
Personally, I would suggest using at least sha256, as it is still considered cryptographically secure.
Using these tips, you can help yourself avoid most basic XSS, SQL injection, and other security issues. For better security all around, Regular Expressions can help make validation much easier, or you can save some time with 8 Practical PHP Regular Expressions. Thanks for reading, if you enjoyed this article, please take a second to let me know what you thought of it in the comments.
This guide goes over the basics of cleaning user input for safe use. This includes escaping correctly, stripping tags, avoiding SQL injection, and other security issues. Anytime you use a Post, Get, or are receiving any information that the user can modif
Tracked: Oct 07, 04:01