Make web application secure
I wanted to make a new php web application and if I follow the following things, it my site then safe?
- Escape user input ($_GET && $_POST) with addslashes
- Make prepared statemen开发者_如何学Gots with PDO
- Check user input for the right type (e.g. int or string)
Security is not something that can be bolted on - it's a constant process of improvement.
- Using
addslashes
will not help you - you need to be escaping the output withhtmlentities
. - Using prepared statement with PDO is good.
- Checking the user input for type is not enough - you need to check it way better. If you expect an email adress check for it, don't assume that if you've got a string it fine.
There are many more things to consider for security like XSS, CSRF...
If you can get the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. It's full of useful advices.
And, I'll say it again - security is not a feature - it's a measurement. There is not 100% secure application (or anything actually). The assumption of security is to make breaking it more expensive than what's behind it - if your site is dealing with money - you need more security - if you are dealing with giftcards - you might get away even without doing the things you suggested (which will be a very bad idea, but still).
Unfortunately there is a lot that can go wrong with web application secuirty. I recommend reading the OWASP Top 10. Also, make sure to read #5 XSRF.
"escaping" input doesn't say very much. Data can be used in many different insecure ways. For instance the best way to prevent xss for PHP is:
htmlspecialchars($_GET['var'],ENT_QUOTES);
A good way to prevent sql injection for msyql is:
mysql_query("select * from mysql.user where id='".mysql_real_escape_string($id)."'");
Make sure you put the quote marks around all variables, or the query will be vulnerable to sql injection. But a more bullet proof approach is using parametrized queries (adodb, pdo...). But xss and sql injection is only the tip of the ice burg, a whole lot more can go wrong with php. I recommend reading the FREE paper A Study in Scarlet for specifically PHP security pitfalls.
精彩评论