November 17

Tricks for PHP security loop holes


Validate User Input…

All sorts of havoc are possible if a user passes unexpected content to a PHP script. To avoid that possibility, you must validate user input. 

Validate Client Side:
You can/should validate with javascript in any form which seeks user input. The advantage of javascript validation is that it will reject improper content without touching your server. However it provides no protection against intentional misuse.

Validate Server Side:
Even if you have strong client side validation, you must also validate on the server before performing any action with user provided input.  If you ask for one type of information, but receive another, a malicious user could hack your database, or gain access to critical system files.

Use Magic Quotes?

Magic Quotes, a somewhat unique feature of PHP is automatically on in most configurations. You can find out if it is on in your server’s PHP installation very simply (along with a whole lot of other helful information) by running phpinfo. If you need a copy of that script, you can get it here. Look for the line: ‘–enable-magic-quotes’ under the Configure Command section. If you are only going to run scripts on your own server and you are sure that it is on, then you have one big hurdle taken care of. However, if you may run the script elsewhere, or someone else runs your server configuration, you may want to add language to escape any special characters passed to you by a user.


Use Sessions more than Cookies

Sessions store the information server side and are much more difficult to hack, spoof or crack than that of cookies, as the yare client side.