The security Thread!

[aussiev8]

i think this should be made sticky, no comments/posts/ questions should be in another thread, this should just be security techniques

Secure Programming

Awareness
Before taking any technical measures, you have to realize that you cannot trust any input from external sources. Whether it is a GET or POST parameter or even a cookie, it can be set to anything. User-side JavaScript form checks will not make any difference.
Check User Variables
Every external variable has to be verified. In many cases you can just use type casting. For example, when you pass a database table id as a GET parameter the following line would do the trick:

PHP Code:

    $id = (int)$HTTP_GET_VARS['id']; 


or

PHP Code:

 $id = (int)$_GET['id'];           /* (PHP => v4.1.0) */ 


Now you can be sure $id contains an integer. If somebody tried to modify your SQL query by passing a string, the value would simply be 0. Checking strings is a little more difficult. In my opinion, the only professional way to do this is by using regular expressions. I know that many of you try to avoid them but -- believe me -- they are great fun once you got the basic idea. As an example, the variable $i from chapter 2.1. can be verified with this expression:

PHP Code:

<?php
    if (ereg("^[a-z]+\.html$", $id)) {
        echo "Good!";
    } else {
        die("Try hacking somebody else's site.");
    }
?>

This script will only continue when the $id variable contains a file name starting with some lowercase alphabetic characters and ending with a .html extension. I will not go into regular expression details but I strongly recommend you the book "Mastering Regular Expressions" by Jeffrey E. F. Friedl (O'Reilly).
Master the Global Variable Scope
I am glad I did not have much time to write this article in early December 2001, because in the meantime Andi and Zeev added some very useful arrays in PHP v4.1.0: $_GET, $_POST, $_COOKIE, $_SERVER, $_ENV and $_SESSION. These variables deprecate the old $HTTP_*_VARS arrays and can be used regardless of the scope. There is no need to import them using the global statement within functions.

Do yourself a favour and turn the configuration directive register_globals off. This will cause your GET, POST, Cookie, Server, Environment and Session variables not to be in the global scope anymore. Of course, this requires you to change your coding practice a little. But it is definitely a good thing to know where your variables come from. It will help you prevent security holes described in chapter 2.2. This simple example will show you the difference:

Bad:

PHP Code:

<?php
    function session_auth_check() {
        global $auth;
        if (!$auth) {
            die("Authorization required.");
        }
    }
?>

Good:

PHP Code:

<?php
    function session_auth_check() {
        if (!$_SESSION['auth']) {
            die("Authorization required.");
        }
    }
?>

source: http://www.zend.com/zend/art/art-oertli.php