What security considerations need to be made for a php Cms?

Building a Cms is simple, you just save your content in a database and provid开发者_如何学编程e a way to edit that content through the webpage itself. Right?

So what sort of security considerations do I need to make? considering the following.

1. Content can only be modified by a logged in user.
2. A user with login details will be trusted not to insert bad data.
3. HTML tags are not alowed in user input and removed before input is used.
4. Instead of using HTML, a standin codeset will be used. E.g. [b]text is bold[/b]

html tags should be stripped or replaced with html entities before printing to output, not necessarily before being put into a database. many programs will save editable data, and preformatted data to improve performance. for instance if someone puts (i know i know) bbcodes into a form, you would want to save one version as the user entered it, and one version that has the bbcode parsed and the html cleansed. cleaning html out of the content is only done to prevent users from putting malicious javascript into you page, allowing them to access information or modify the system without credentials. see xxs or cross site scripting.

data from the user should never be trusted and should be validated and filtered to the furthest degree. this means escaping everything before putting it into your database. this can be done using functions like mysql_real_escape_string() for mysql, or prepared statements with PDO. see sql injection attacks.

a tricky one is making sure that a request is coming from the intended logged in user. for instance, if you are logged into your banks website, and i send you an email with an image tag in it <img src="www.yourbank.com?func=transfer&account=1234&amount=10000" />. will this cause you to transfer your money to me? don't allow any requests that modify system data from GETs for starters, but this could come through posts if javascript or viruses are involved. people also often save a form instance id with each form they send to a logged in user in session, as well as in the form itself. they would then check incomming requests against that list of form instances, ignoring ones that it did not send out itself. see csrf or xsrf.

make sure your sessions are stored in a safe location. validate sessions with at the very least the browser that sent the request, meaning store the browser that sent the log in request, and check it each time the user submits another request to verify that it is the same browser. some also incorporate parts of the ip address into this session validation.

scrub all file uploads. if someone were to upload a file named some.jpg.php which is a valid jpg, but has PHP code instide of the jpgs meta notes. the uploader could feasably take over your server. be sure at the very least to use your own file extensions for uploaded files. some would even suggest store all uploaded files in a private location, and then setting up a file server script to serve those files using PHP. some would even suggest scanning uploaded files for viruses. checking the MIME type is of no protection.

make sure that your PHP and server settings are set up with best practices in mind.

i'm sure there is more as you can never be too careful, but this is a good start.

1. Sure.
2. A user must never be trusted. Logged in or not.
3. No need to remove HTML tags, just encode the user input data into HTML entities so it does not mangle the actual HTML. Data from the user must never be trusted.
4. You could use markdown. Data from the user must never be trusted.

Did I mention not to trust users?

In conjunction with SpiceMan,

Do also check your user based inputs, user being anyone or bot. And by check I mean run through and make sure there's no inject-able code being submitted trying to fool your security. Also make sure the inputs are always within the limits of what you want them to be.. Example you want a zipcode input double check before doing anything else to see if the value submited is actually numeric. Do not rely on JavaScript to handle your validation. If you do, do the same stuff with your PHP on the backend. A web form is not the only means of posting your form to the DB. If its there and someone wants to they will find a way to do it. Only thing you can truely ever do is make it as difficult for them to get in. In hopes they will detour.