LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 04-08-2011, 09:29 AM   #1
matiasar
Member
 
Registered: Nov 2006
Location: Argentina
Distribution: Debian
Posts: 314
Blog Entries: 1

Rep: Reputation: 31
PHP security concern


For a couple of weeks I've been working in a php web site, and now it's almost ready for production.
The site has some sections with authenticated access, so from the beggining I decided to pay attention to security.

These are the main points I tried to pay special attention. I'd like to know if I'm missing something or any tip which could help to improve security, so opinions or advices will be very appreciatted.

1) Log in form data are sent through TLS, for not to send them in plain text.

2) Form info is validated in order to minimized possibilities of sql injection. Validation is done via regex and php functions.

3) Some of the site's forms generate a random MD5 hash and send it through POST and SESSION method so the "target" php script can validate the origin of those data checking if both methods contain the same data.

4) Passwords are stored ecnrypted in a mysql table.

5) Configuration and classes php scripts are located outside the web public dir (outside DocumentRoot).
And any directory of the website has an index.php script to redirect to home page in order no to list directory content.

One of my doubts is the following:

Once an authorized user is logged a session variable is setted: $_SESSION['uuid'] which contains a user id number, that is stored in authusers table.
Access to restricted areas of the sites relies in that Session variable.
As I read in some articles that session ID could be hijacked, specially if the site runs in a shared server (this will be this case).

Are there any extra practice for trying to minimize this risk?

Some extra actions are advisable?


Thanks!!
 
Old 04-08-2011, 09:36 AM   #2
dugan
Senior Member
 
Registered: Nov 2003
Location: Canada
Distribution: distro hopper
Posts: 4,863

Rep: Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523Reputation: 1523
You are guarding against XSS and SQL injection attacks, by passing output through htmlentities and using prepared statements and parameter bindings for your SQL statements, right?
 
Old 04-08-2011, 10:10 AM   #3
Guttorm
Senior Member
 
Registered: Dec 2003
Location: Trondheim, Norway
Distribution: Debian and Ubuntu
Posts: 1,156

Rep: Reputation: 247Reputation: 247Reputation: 247
Having confidential data on a shared server is risky. I would not rely on PHP's safe mode to prevent the others from reading your files. There has been lots of bugs in it, and I wouldn't be surprised if more show up. Also, many shared servers also allow Perl and CGI which has no such mechanism. These scripts can often read anything the web server has read access to, including your files. I think that's why the safe mode is deprecated. It gives people a false impression of security. And the servers have administrators and backups which you also trust. You not only trust that they don't read your files, but also that they don't change the configuration of the server. So avoid shared servers if you can.

In addition, I would look for use of the eval function in the PHP code. Be very careful if you use it. If other people can pass data that ends up in the eval function, be super strict when validating it. If not, they can run code on the server.

Also, don't use variables in include/require statements. Most servers deny external references in include and require, but don't rely on it.
 
Old 04-08-2011, 11:19 AM   #4
slimm609
Member
 
Registered: May 2007
Location: Chas, SC
Distribution: slackware, gentoo, fedora, LFS, sidewinder G2, solaris, FreeBSD, RHEL, SUSE, Backtrack
Posts: 428

Rep: Reputation: 65
php safe mode has been deprecated and has some major problems and should not be used.

php is in the process of completely removing safe mode entirely

http://php.net/manual/en/ini.sect.safe-mode.php
 
Old 04-08-2011, 07:24 PM   #5
matiasar
Member
 
Registered: Nov 2006
Location: Argentina
Distribution: Debian
Posts: 314
Blog Entries: 1

Original Poster
Rep: Reputation: 31
Fellows,

You've been very kind for sharing these info. Thanks a lot to all of you.

Dugan, yes I used mysqli extension in order to use prepared statements.
I used filter_var function to process data sent through post method:

Code:
$myvar = filter_var( $_POST['posted_field'], FILTER_SANITIZE_STRING);
I'd better use htmlentities function? Ou could use both?

Guttorm, thanks. I know in this case shared server is Achilles' heel for this case. I understand, for a really critical application a dedicated server would be the best solution.
For this application, data stored in database is not so critical (no credit cards, no private or classified personal info involved). I'm wondering about security as a way of learning to focus on php security.
I didn't understand the use of eval function... would it be to construct prepared statements? Or is for another use? Would you please provide me an example?


Thanks again, regards,
Matías
 
Old 04-08-2011, 09:32 PM   #6
matiasar
Member
 
Registered: Nov 2006
Location: Argentina
Distribution: Debian
Posts: 314
Blog Entries: 1

Original Poster
Rep: Reputation: 31
I found this article http://www.tuxradar.com/practicalphp/10/0/0, and started reading. Seems very usefull on how session works.
I red sessions ids were stored by PHP within /tmp dir, but really I didn't find anything in /tmp dir. May be that changed in newers versions. I'm testing my site in a virtualized Debian running apache and php (5.3).
 
Old 04-09-2011, 04:09 PM   #7
aspire1
Member
 
Registered: Dec 2008
Distribution: Ubuntu
Posts: 61

Rep: Reputation: 22
Another thing you could use is session_regenerate_id() as soon as the user has been authenticated, you could setup session_set_save_handler() to save the session info in a database rather than the default on disk, and use htmlentities for data being retrieved from the database and sent back to a user to be displayed in their browser, not when you are inserting the data into the database and you could use a salt when hashing your passwords.
 
1 members found this post helpful.
Old 04-09-2011, 06:58 PM   #8
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by matiasar
4) Passwords are stored ecnrypted in a mysql table.
Did you mean hashed passwords are stored? If you really meant encrypted, then where is the key?
 
Old 04-09-2011, 09:20 PM   #9
matiasar
Member
 
Registered: Nov 2006
Location: Argentina
Distribution: Debian
Posts: 314
Blog Entries: 1

Original Poster
Rep: Reputation: 31
Aspire1, thanks for your suggestions. They are worth for me to keep on researching improving the scripts.

Passwords are hased, not encrypted. You're right Anomie.

Thanks!
 
  


Reply

Tags
php, security, sessions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Security Concern on LINUX Hi_This_is_Dev Linux - General 8 09-29-2010 06:48 AM
Solaris Security Question...A cause of Concern ! as400 Solaris / OpenSolaris 5 11-09-2008 06:20 AM
Possible Security Concern? keysorsoze Linux - Security 2 12-15-2006 02:36 PM
A security concern! Please advise! vharishankar General 5 11-30-2004 11:05 AM
Security concern linuxRules Linux - General 3 05-22-2002 02:23 PM


All times are GMT -5. The time now is 11:40 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration