Server security for licensed application

Caveat: I know next to nothing about server security, so assume nothing :)

We have a webapp written in PHP. A certain part of its functionality depends upon it contacting and interac开发者_运维百科ting with our server.

Putting it simply, the application contacts our server using cURL and posts about 20 different fields to our page. The values of these fields come from text inputs and textareas, will definitely have html and some javascript in theme, and currently we're doing no data cleaning, tag stripping, etc. to them at all. We're simply taking that data, parsing it a bit, and re-displaying it to the user in a slightly different format--basically echoing the same data in slightly-modified form right back to their screen.

The only database interaction that transpires is that one of the fields is their license key. That gets entered into a prepared MYSQL statement to validate the user.

Am I correct in thinking that our only vulnerability is the license key, since it is the only point of db interaction, and that we should have that covered already with the prepared statement?

I'm assuming that there should be no security risks to our server in receiving the user's data, parsing it a bit and then echoing it back to them, since this involves no db interaction. If that is a bad assumption, please enlighten me as to why and what steps I should take to better secure our system.

Well the biggest security issue comes from database interations (SQL-Injection) so you'll probably want to white list your license via a regular expression...

if(preg_match('/^[a-z0-9]$/', $license)) {
   // Ok to proceed with database interaction...
} else {
   die('NO USAGE FOR YOU!');
}

Check that you're not using eval() or `` (<= those are back ticks) with the incoming values.

Make sure to define all your variables before you use them. Below is an example of what not to do...

if($_POST['password'] == $password) {
    $is_authenticated = true;
}

if($is_authenticated) {
    // ... code ...
}

You might think that the only way for the ... code ... to run would be for the person accessing this script to post the correct password. Well actually, if register_globals is enabled on the server they can simply pass a get key=>value like .php?is_authenticated=1 to the request script.

This is the proper (pre defined variable) way to use a variable.

$is_authenticated = false;
if($_POST['password'] == $password) {
    $is_authenticated = true;
}

if($is_authenticated) {
    // ... code ...
}

You also need to look into the possibility of an XSS attack but that's more based the context in which you return this data. Is it displayed on your site as well? Is it just strait up returned to the client?