Portal Home > Knowledgebase > Articles Database > Adding bits of extra security to PHP script
Adding bits of extra security to PHP script
Posted by P-nut, 09-03-2007, 03:37 PM |
I am putting the finishing touches on a PHP script I've been working on for over a year, streamlining and tightening the code as much as I can.
A couple of things that I would like to do but have not quite figured out are:
1. Protect as much as possible for cross site scripting injection
2. Ensure that the script can only send emails from areas that are allowed to send (perhaps by performing some type of check?). Not quite sure what a decently secure way to do this would be.
I don't expect anyone to walk me through step by step (although I wouldn't complain if you wanted to ) but if you give some pointers, perhaps point me to a couple of good sites that discuss the above, I would be most appreciative.
|
Posted by Renard Fin, 09-03-2007, 03:50 PM |
Few guides and hints
http://phpsec.org/projects/guide/
http://www.devshed.com/c/a/PHP/PHP-Security-Mistakes/
http://www.sitepoint.com/article/php-security-blunders
Oh and my few tips :
php.ini
display_error = off
track_errors = on ( you can track the errors in a script with $phperror variable I think
log_errors = on
|
Posted by Bangalore Job Mob, 09-03-2007, 05:27 PM |
hxxp://shiflett.org/articles/foiling-cross-site-attacks
|
Posted by Jatinder, 09-04-2007, 07:14 AM |
For development machine:
display_errors = On
error_reporting = E_ALL
For production machine/server:
display_errors = Off
Shouldn't you be worrying about to "whom" you are sending the emails rather than from where you are sending the email?
|
Posted by P-nut, 09-04-2007, 09:39 AM |
Of course but I already have that part figured out I just want to make sure that only that certain page/site is the one sending it. It's not hard to set up an external form to point to someone's script to send emails with. I'm trying to protect against that.
|
Posted by EfreeZe, 09-04-2007, 09:56 AM |
For XSS, use htmlentities, htmlspecialchars, or strip_tags depending on what you want to do, or just remove script tags.
As for the mail issue, surely you have some authentication in place so just not anyone can send mail? Then you surely have validation on that form?
|
Posted by P-nut, 09-04-2007, 11:52 AM |
Yes and yes. I'm just looking for a way to further ensure that only the domain that's supposed to be using the form, is.
|
Posted by ThatScriptGuy, 09-04-2007, 01:33 PM |
Why don't you just make sure that the form that was submitted resides on the domain that the script is installed on?
That's what I usually do, and I always thought it was a good way to do it...
|
Posted by EfreeZe, 09-04-2007, 02:24 PM |
You could set a session on the page with the form, then check it on the processing page. That's about the only way I can think to ensure the form is used where it is supposed to be used, and isn't copied to an external location or that post data isn't just posted.
But, if the user is authenticated and validation is done, I don't see much of a problem.
|
Posted by Jatinder, 09-04-2007, 02:28 PM |
You have two options:
1. You can check the HTTP_REFERER and process the form data only if it matches your domain.
2. You can store a random variable in the session and also pass this variable as a hidden input field. Then on the form processing page you can compare the value of this hidden input field with that stored in the session.
|
Posted by EfreeZe, 09-04-2007, 02:39 PM |
However, the HTTP referer can be faked, so I would not suggest that method.
|
Add to Favourites Print this Article
Also Read