Gonzalez Posted February 18, 2010 Report Share Posted February 18, 2010 It’s very important to secure your data in PHP correctly. Because if you don’t, your website is in risk of being harmed by SQL injections and other dangerous code injections, which you obviously don’t want. So to protect your website against these code attacks, this tutorial was written This tutorial will explain the reasons to secure data in PHP and the best ways to easily accomplish this.Securing data before database interactionThe first ‘type’ of data you should secure is the data which you will interact to the database with. Of course you could as well just use the user inputten data to interact with your database table right away, but let’s have a look at what could happen if you do so:Unsecure mysql select query(BAD): $user_input1 = "username_example"; //example of valid user input $user_input2 = " ' OR username = 'username_example"; //BAD user input $sql = "SELECT id FROM accounts WHERE username = '$user_input1' AND password = '$user_input2' "; This is an example of an unsecure sql query which could for example be used with a login system to check whether the user inputten username & password are valid. However because of it’s unsecurity users could just fill in some password like ‘OR username = ‘username_example . What will happen then, you can see from the following: $sql = "SELECT id FROM accounts WHERE username = '$user_input1' AND password = '$user_input2' "; becomes => $sql = "SELECT id FROM accounts WHERE username = 'username_example' AND password = '' OR username = 'username_example' "; Now, say, ‘username_example’ is a valid username of an account the user knows and want to login to without having to supply the password ( hack it ), he just filled in his bad code to make the query still return true because it now checks whether the username & password are correct OR the username is only correct. Which obviously is the case. So the user has now successfully logged in to the victims account. Of course you don’t want this to happen to your website’s members! So be smart, and secure your data in PHP.However this was just an example for an unsecure login system, sql query. The same thing can happen to any other sql queries which are set up unsecured, which use user inputten data straight away without securing it first.In the above example the coder made atleast 2 major security faulths: * Coder used the user inputten data straight away into a sql query * Coder put the user inputten data in the query between single quotesThe first faulth was explained above. But beside that it was also very wrong to put the user input data between single quotes which, as you could see in the above example of a bad user input, made the user able to easily bypass/get round these quotes and add another part to the query themselves. So the first thing we should do to make this query to secure is put it between ‘”. and .”‘:So in general example:$better_query = "SELECT field FROM table WHERE field = '".$_POST['userinput_fieldname']."' "; But still this isn’t enough. However it’s already a lot harder now for the user to inject codes inside the query, it still can be done. To prevent this totally, we can use the security function made by PHP: mysql_real_escape_string. This function will escape all dangerous contents out of the user inputten data. So it can’t do any harm to your sql query and database and/or website anymore.Secure and proper select query example (GOOD): $better_query = "SELECT field FROM table WHERE field = '".mysql_real_escape_string($_POST['userinput_fieldname'])."' "; Allright, so now atleast our query is secured and safe. The same can be done by INSERTING data into the database however there’s still one thing that could possibly happen: an error can occur when users use symbols such as ‘ and ” (quotes) in an inapropperiate way.To fix this, we can make PHP add slasshes before these symbols to escape them. This will make these quotes for example, to be threatend as plain text. A function that does this for us is: addslashes.Secure and proper insert query example (GOOD): $secure_and_proper_query = "INSERT INTO table(field)VALUES('".addslashes(mysql_real_escape_string($_POST['userinput_fieldname']))."' "; When doing this you might want to use stripslashes again when rertrieving the data, if it happens to show the slashes in the output.Securing data before database outputIt’s also not always safe to output user input data from database straight away, especially when you haven’t secured the user input data. If you DO secure the user input data to the database as done above, you should be safe, but to be 100% sure the database fields don’t contain any codes that will be executed: a function such as htmlspecialchars could be used. This function escapes all possibly harming tags/symbols out of the data. For example < will become <. Which will only be converted once by the browser into the text symbol < and which won't be executed as a code ( such as < b > normally would make text bold ).Secure Output Example://example of bad user input from database or input field $bad_userinput = "make whole page from here bold! <b> and mess up layout </table> or <table>"; echo htmlspecialchars($bad_userinput); //hah I won't! And Fixed - your webpage has been prevented of being totally messed up by the user input.Hope you learnt something and don’t forget: always secure user inputten data in PHP before using ;-)! Quote Link to comment Share on other sites More sharing options...
Nytro Posted February 18, 2010 Report Share Posted February 18, 2010 $SECURED = htmlentities($VARIABLE, ENT_QUOTES); Quote Link to comment Share on other sites More sharing options...
Gonzalez Posted February 18, 2010 Author Report Share Posted February 18, 2010 Mda, fara reprosuri.-Gonzalez Quote Link to comment Share on other sites More sharing options...
Hertz Posted February 18, 2010 Report Share Posted February 18, 2010 Pentru ca htmlspecialchars nu encodeaza ' default. Quote Link to comment Share on other sites More sharing options...
