使Web应用程序安全

Question

I wanted to make a new php web application and if I follow the following things, it my site then safe?

• Escape user input ($_GET && $_POST) with addslashes
• Make prepared statements with PDO
• Check user input for the right type (eg int or string)

Answer 1

Security is not something that can be bolted on - it's a constant process of improvement.

• Using addslashes will not help you - you need to be escaping the output with htmlentities .
• Using prepared statement with PDO is good.
• Checking the user input for type is not enough - you need to check it way better. If you expect an email adress check for it, don't assume that if you've got a string it fine.

There are many more things to consider for security like XSS , CSRF ...

If you can get the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws . It's full of useful advices.

And, I'll say it again - security is not a feature - it's a measurement. There is not 100% secure application (or anything actually). The assumption of security is to make breaking it more expensive than what's behind it - if your site is dealing with money - you need more security - if you are dealing with giftcards - you might get away even without doing the things you suggested (which will be a very bad idea, but still).

Answer 2

Unfortunately there is a lot that can go wrong with web application secuirty. I recommend reading the OWASP Top 10 . Also, make sure to read #5 XSRF.

"escaping" input doesn't say very much. Data can be used in many different insecure ways. For instance the best way to prevent xss for PHP is:

htmlspecialchars($_GET['var'],ENT_QUOTES);

A good way to prevent sql injection for msyql is:

mysql_query("select * from mysql.user where id='".mysql_real_escape_string($id)."'");

Make sure you put the quote marks around all variables, or the query will be vulnerable to sql injection. But a more bullet proof approach is using parametrized queries (adodb, pdo...). But xss and sql injection is only the tip of the ice burg, a whole lot more can go wrong with php. I recommend reading the FREE paper A Study in Scarlet for specifically PHP security pitfalls.