开发者

Make web application secure

I wanted to make a new php web application and if I follow the following things, it my site then safe?

  • Escape user input ($_GET && $_POST) with addslashes
  • Make prepared statemen开发者_如何学Gots with PDO
  • Check user input for the right type (e.g. int or string)


Security is not something that can be bolted on - it's a constant process of improvement.

  • Using addslashes will not help you - you need to be escaping the output with htmlentities.
  • Using prepared statement with PDO is good.
  • Checking the user input for type is not enough - you need to check it way better. If you expect an email adress check for it, don't assume that if you've got a string it fine.

There are many more things to consider for security like XSS, CSRF...

If you can get the book The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws. It's full of useful advices.

And, I'll say it again - security is not a feature - it's a measurement. There is not 100% secure application (or anything actually). The assumption of security is to make breaking it more expensive than what's behind it - if your site is dealing with money - you need more security - if you are dealing with giftcards - you might get away even without doing the things you suggested (which will be a very bad idea, but still).


Unfortunately there is a lot that can go wrong with web application secuirty. I recommend reading the OWASP Top 10. Also, make sure to read #5 XSRF.

"escaping" input doesn't say very much. Data can be used in many different insecure ways. For instance the best way to prevent xss for PHP is:

htmlspecialchars($_GET['var'],ENT_QUOTES);

A good way to prevent sql injection for msyql is:

mysql_query("select * from mysql.user where id='".mysql_real_escape_string($id)."'");

Make sure you put the quote marks around all variables, or the query will be vulnerable to sql injection. But a more bullet proof approach is using parametrized queries (adodb, pdo...). But xss and sql injection is only the tip of the ice burg, a whole lot more can go wrong with php. I recommend reading the FREE paper A Study in Scarlet for specifically PHP security pitfalls.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜