DevShed finishes off their series on database security in PHP applications with this look at protecting your application and data from the threat of SQL injections.
In this article we will continue to explore various attacks that can be made on a database and how to prevent these attacks. We will also build the last page of our site.
Their example script is a login for a secured area of the site and contains a possible place for an injection - non-validated user input. With something as simple as making the username a single quote, an attacker could find out more about your database structure and use that to get further into your systems. To avoid it, they recommend validating with the mysql_real_escape_string function as a first line of defense.
On the symfony blog Fabien Potencier encourages all symfony developers that the security of your application must be taken seriously and that, despite the built-in protection the framework offers, there still could be issues.
The symfony framework has always provided the tools needed by the developers to secure their applications. With the new form framework, we have added an automatic protection against CSRF. Speaking of the form framework, we have also added a lot of security features to protect you against all sort of injections.
He does include an example, though, of a situation where it's not just about protecting from cross-site scripting or attacks. It's about checking user input to ensure it's what it should be. They give the example of a user pushing an "is_admin" value into a form posting where there wasn't one and updating the right column to give them admin rights.
He mentions some work the Rails team has tried to do to prevent this sort of thing automatically, but Fabian points out what the symfony framework already does - prevent any injected fields other than what's in the forms from being submitted and included.
This new tutorial DevShed has posted today talks about planning for your application's security and some handy tips you can use to keep it safe.
In this article we will look at how to start a project while considering its related security issues. We will focus on form validation as well as other topics such as site structures. To demonstrate the topics that we will be discussing, we will create a site that will enable a user to log in, log out, register and manage passwords.
They look at things like the overall structure of the site (including how it lives on the file system) and protecting your application from dangerous user input through forms.
Dealing with the display of form inputs, the validation of a form submission, and all the particular cases of forms is one of the most complex tasks in web development. Luckily, symfony provides a simple interface to a very powerful form sub-framework, and helps you to design and handle forms of any level of complexity in just a few lines of code.
The tutorial goes from the basics - displaying a simple form - out to complex multi-validations on the entered values.
DevShed has posted the fourth part in their introduction to the CodeIgniter framework. This time they focus on form validation.
If you're a web developer, you've probably written any number of scripts designed to validate the input entered into a web form. More than likely, then, you'd like something that will make that job easier. Enter the Code Igniter PHP framework. In this fourth part of a nine-part series on this framework, you'll learn how to use it to do basic validation on a web form.
Making and validating forms in CodeIgniter is a pretty simple process thanks to the built-in validation features of the framework. They show you how to create a form and how to implement the validation and output error messages when an issue comes up.
This recent post from the Mind Tree blog shares a few methods for testing your web application (not unit test, just general things).
Because the Web "environment" is so diverse and contains so many forms of programmatic content, input validation and sanity checking is the key to Web applications security. This involves both identifying and enforcing the valid domain of every user-definable data element, as well as a sufficient understanding of the source of all data elements to determine what is potentially user definable.
They note that the root of most problems is input validation - most applications either just don't do it or do it poorly. They include a few tips on first security the environment the application is running in (like checking the HEAD/OPTIONS values and ensuring you're only allowing known file extensions and directories). They also mention the insecurity behind HIDDEN form elements and some issues surrounding user authentication.
For a recent REST web service project, Lorna Mitchell had to put together a server for the remote clients to use. She started with a GET request then moved to handling a POST request then to a PUT request - that's where the difficulty came in:
PHP doesn't have a built-in way to do this, and at first I was a little confused as to how I could reach this information. It turns out that this can be read from the incoming stream to PHP, php://input.
Pulling from that stream gave her the raw data she needed (nicely urlencoded too) that she could parse out and use. She includes a simple example that has a check for the REQUEST_TYPE in the _SERVER superglobal to see how the request should be handled (PUT versus GET).
On the NETTUTS.com website, there's a great article with some "essential security considerations" that you can use to see just how hackable your site could be.
This article walks through the brainstorming stage of planning for what is in this instance, a hypothetical user-centric web application. Although you won't be left with a complete project '" nor a market ready framework, my hope is that each of you, when faced with future workloads, may muse on the better practices described. So, without further ado...Are you sitting comfortably?
The tutorial is broken up into a few sections based around an example with a few points of failure (about book information). They work through the thought process behind the code, using the $_REQUEST variables correctly, preventing SQL injections, filtering the HTML output and a sample code download for you to see how it's all tied together.
The WebReference.com website has an introductory tutorial showing the budding PHP develper how to get started with one of the keys to web application interaction - forms.
Forms are how your users talk to your scripts. To get the most out of PHP, you must master forms. The first thing you need to understand is that although PHP makes it easy to access form data, you must be careful of how you work with the data.
The first part of the tutorial is focused on something many applications don't worry about - the security and integrity of the data submitted to them. They talk about things like filtering and various other checks to ensure that the data you're getting is good. They also mention the method for putting submitted values into PHP arrays, checking for valid values, using multiple submit buttons and an example of some of these methods all put together - validating a credit card number.
Besides all of the usual Valentines day logo fun from some of the majorsites out there, Paul Reinheimer also points out a special little something on the Funcaday.com website:
Want a custom one to share with someone you care about. Fill out the form here. It's a subtle effect though, they'll need to read it. Valid characters for names are just alphabetics and the underscore, sorry.
The custom output is a great little addition to the site - put in person one's name and person two's name and it updates the image to show the new parameters. Ah, geek love...
