PHP安全检查表（注入，会话等）

Question

So what kind of things should a person using PHP and MySql be focused on to maximize security.

Things I have done:
-mysql_real_escape_string all inputs
-validate all inputs after escaping em
-Placed random alpha numerics before my table names
-50character salt + Ripemd passwords

Heres where I think I am slacking:
-I know know nothing about sessions and securing them. How unsafe/safe is it if all you are doing is:

session_start(); 
$_SESSION['login']= $login;

and checking it with:

session_start();
if(isset($_SESSION['login'])){

-I heard something about other forms of injection like cross site injection and what not... -And probably many other things I dont know about.

Is there a "checklist"/Quicktut on making php secure? I dont even know what I should be worried about.I kinda regret now not building off cakephp since I am not a pro.

Answer 1

You can try to avoid hijacking by testing user agent.

Something like that :

if (isset($_SESSION['userAgent'])) {
    if ($_SESSION['userAgent'] != md5($_SERVER['HTTP_USER_AGENT'])) {
       // HACK !!!
       // Kill the process or ask for authenticating
    }
}
else {
    $_SESSION['userAgent'] = md5($_SERVER['HTTP_USER_AGENT']);
}

Answer 2

If your application allows any kind of content to be posted you should use some kind of encryption at login. SSL is best of course, poor mans ssl is encrypting password with JS before posting the login-form.

To avoid session hijacking, tie down the session to the ip at login, (save ip at login and compare with every request).

regards, //t

Answer 3

For XSS and other injections types, which are mainly HTML and js injection the key security is escaping all outputs.Everything you paste in HTML should be escaped for HTML, that mean no js or HTML should be seen by the browser in the content generated by something directly coming from the databse.

As an example user_name, that the user as set in a form, should not contain any HTML or js code. If by any way someone an inject such thing, you'll have some problem (and the easiest way to inject is the search form input in most app, were your search is echoed in the response page). So all theses output should have a htmlspecialchars() before output.

Here are some usefull links:

• http://phpsec.org/projects/guide/
• http://www.securephpwiki.com/index.php/Main_Page
• http://www.hardened-php.net/

Answer 4

There are multiple ways of hacking. The first is when an actual (or fake) user is trying to find gaps in your software to try to damage your server. You will need the escaping and input checking to prevent SQL injection to work around this.

The (or 'an') other is a hacker that tries to steal a session to impersonate another user. This allows them to reach (and change) data they are not entitled to.

SQL injection is fixed by using mysql_real_escape_string . When use use that and use it right, there is no need to be afraid of SQL injection. There is no need to prepend random characters to table names. This will make your programming harder while not providing a real additional safety. You could also use mysqli and parameterized queries, which don't have this problem at all. mysqli takes care of the escaping for you. Theoretically, parameterized queries could even run faster, because the queries can be more efficiently cached. In practise, however, this is not the case. It is only since MySQL 5.2 that these queries are cached at all, but still not as efficient as could be. That is however nothing to worry about right now. Any solution will proably perform well enough for you right now.

One thing you shouldn't do -ever- is allowing PHP code in user generated content. If you allow users to type PHP, you will allow them to break your application and possibly modify your database. Also, when a hacker manages to impersonate a user/content editor, he gets a complete toolbox for free when you allow the content to contain PHP.

To prevent sessions from being hyjacked, I think it is best to use SSL. If you don't want to server all your pages via SSL, you could choose to save a session in cookies, but demand a relogin (using SSL) whenever important changes are done.