Portal Home > Knowledgebase > Articles Database > Adding bits of extra security to PHP script


Adding bits of extra security to PHP script




Posted by P-nut, 09-03-2007, 03:37 PM
I am putting the finishing touches on a PHP script I've been working on for over a year, streamlining and tightening the code as much as I can. A couple of things that I would like to do but have not quite figured out are: 1. Protect as much as possible for cross site scripting injection 2. Ensure that the script can only send emails from areas that are allowed to send (perhaps by performing some type of check?). Not quite sure what a decently secure way to do this would be. I don't expect anyone to walk me through step by step (although I wouldn't complain if you wanted to ) but if you give some pointers, perhaps point me to a couple of good sites that discuss the above, I would be most appreciative.

Posted by Renard Fin, 09-03-2007, 03:50 PM
Few guides and hints http://phpsec.org/projects/guide/ http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/ http://www.sitepoint.com/article/php-security-blunders Oh and my few tips : php.ini display_error = off track_errors = on ( you can track the errors in a script with $phperror variable I think log_errors = on

Posted by Bangalore Job Mob, 09-03-2007, 05:27 PM
hxxp://shiflett.org/articles/foiling-cross-site-attacks

Posted by Jatinder, 09-04-2007, 07:14 AM
For development machine: display_errors = On error_reporting = E_ALL For production machine/server: display_errors = Off Shouldn't you be worrying about to "whom" you are sending the emails rather than from where you are sending the email?

Posted by P-nut, 09-04-2007, 09:39 AM
Of course but I already have that part figured out I just want to make sure that only that certain page/site is the one sending it. It's not hard to set up an external form to point to someone's script to send emails with. I'm trying to protect against that.

Posted by EfreeZe, 09-04-2007, 09:56 AM
For XSS, use htmlentities, htmlspecialchars, or strip_tags depending on what you want to do, or just remove script tags. As for the mail issue, surely you have some authentication in place so just not anyone can send mail? Then you surely have validation on that form?

Posted by P-nut, 09-04-2007, 11:52 AM
Yes and yes. I'm just looking for a way to further ensure that only the domain that's supposed to be using the form, is.

Posted by ThatScriptGuy, 09-04-2007, 01:33 PM
Why don't you just make sure that the form that was submitted resides on the domain that the script is installed on? That's what I usually do, and I always thought it was a good way to do it...

Posted by EfreeZe, 09-04-2007, 02:24 PM
You could set a session on the page with the form, then check it on the processing page. That's about the only way I can think to ensure the form is used where it is supposed to be used, and isn't copied to an external location or that post data isn't just posted. But, if the user is authenticated and validation is done, I don't see much of a problem.

Posted by Jatinder, 09-04-2007, 02:28 PM
You have two options: 1. You can check the HTTP_REFERER and process the form data only if it matches your domain. 2. You can store a random variable in the session and also pass this variable as a hidden input field. Then on the form processing page you can compare the value of this hidden input field with that stored in the session.

Posted by EfreeZe, 09-04-2007, 02:39 PM
However, the HTTP referer can be faked, so I would not suggest that method.



Was this answer helpful?

Add to Favourites Add to Favourites    Print this Article Print this Article

Also Read