It is finally October and I have not posted one thing yet. I was in California last week though. However that should not be an excuse for the lack of posting I have made. I really wanted to be able to post at least once a week, trying for twice a week. However, that has not happened.
So a quick post about security in a site. I will not claim that I know everything about security, but I have always been about the common sense stuff of a site. Some of the things to keep in mind:
1. All data is tainted, and therefore, before you accept any data and put it in the database or file system, SANITIZE it. This is for forms, forums, wikis, etc. use PHP’s own functions at the very least to help clean the data. Never just blindly run the data through your database. You can open loopholes to malicious entries into your tables, or just have tables disappear altogether. By allowing un-sanitized data in, you are opening yourself to a SQL Injection attack. And while people will not bother with most sites, it is entirely possible they can use a SQL injection to use your server as a host or bounce for other mischievous activity.
2. Sessions are great, and use them with caution. What this means, is try not to pass a session id via a query string in the URL. Session hijacking uses this, as it is easy to grab a session ID just from a Google search, a post from a forum, or blog, etc. I just suggest not to do it. Cross-site scripting will also try to sniff the session ID as well. Saving the session ID in a cookie is fine, but regenerate the ID at times, validate the session ID when doing anything for admin functions, check out functions, etc. Just keep in mind what people are able to do on your application, and how that would be a problem if a session was hijacked.
3. SSL vs no SSL. It all depends on your application. If you have anything remotely personal that is required, just pony up the money to get a cert and put it on the server. Many times when I am browsing around, if it asks for my name and address and phone number/email address, I look for that lock/cert. Even though this is all contained in the current phone book, I am not sure what information they will ask for next. And especially if you are going to ask someone for their credit card number. Never leave that in the open.
4. Personal information on the application. If you are building a business site, and need to put business information up, then do it in a way that will not harm people inside the business. Posting email address of regular employees, direct numbers, etc can lead to a hassle and business identity theft. Put the main number/main email address (per department if there is one) and leave it at that. If it is a personal site, never post your personal information/financial info on the site. Not even to brag.
5. Leech protection. There are many ways to protect against other sites pulling in your graphics. Take the example of a college football fan who posted a full article about the Oklahoma Sooners quarterback being involved in drugs and other illegal activity. He mimicked a local Oklahoma newspaper site. He took the CSS, and layout from the web, and linked to their images they hosted on their servers. The result? Many people and even major news sites took this as a true story. The guy got in trouble, had a lawsuit against him from the local paper, an eventually took it down. This happened, and luckily the local paper was able to track this down. Many phishing attempts are done in this way. You get an HTML email from a bank saying you need to complete some information, and they give you a site that looks exactly like the real deal. Safeguard your images, and do not let other sites use those.
6. Have fun and be observant. Web applications can be fun, and can be really dangerous. Think common sense when programming, think common sense when debugging and unit testing. Do not let a small “trite” thing be overlooked, as that may be the one back door that others use to get into the site. You should have a good sys admin setting up the servers, a good network admin manning the routers and firewalls, so it is up to you to remember to be common sense about the actual application.
Some of these are really basic common sense. Most security loopholes are because people forgot the basics. There is only 1, that is right – ONE, sure way to never get hacked, get a virus, have a security hole. That is to never plug your system into the web, and never turn it on. But what fun is that?
Powerful post.