I still see multiple instances of applications (And not just PHP applications) where carelessness has overtaken common sense. The web is no longer just a set of reading materials. It is now more than that with interactive applications and a flow of data that travels in all directions. So why is it that a huge problem is a lack of security for this interaction? The biggest thing I still see is with forms. Multiple sites ask to sign up for something, like a list, and email notification, account to get in to the site, etc. And one of the most powerful things today is information. And this does not mean just credit cards and government identification numbers. These can include names, emails, addresses, cities, passwords, secret phrases for confirmation, etc. Harvesting this can lead to identity fraud, selling to spam lists, etc. Secure your forms! It does not take much time, and can pay off, especially for the small businesses who will not have the money or name recognition of the larger corporations.

Easier said than done, I suspect some are saying. Well, yes and no. This should not be an after thought it should be first. In the PHP language, functions exist to help in this. Some ideas for securing forms: mysql_real_escape_string, pg_escape_string. In fact, if you are using PHP, then make sure to understand the different options available for your database.

That is not all though. You should also use a parametrized approach for inserts and updates. A quick example of this:

$sql = "UPDATE sometable SET somefield = ? WHERE value=?";
$parameters = array($_POST['data1'], $_POST['data2']);
$dbo->query($sql, $parameters);

Now that was not too hard was it? However, security is not something to pass over. You should understand what data you are collecting, and validate the data, and then securely save the data. Validating it can be as easy as making sure it is an integer value, email, certain number of characters. Items like that can go a long way to verify what you are getting is what you need, and will not harm your application. For example, if a form had a field for first name, last name, country, email address, you can safely validate those fields. First name, last name should only be characters. Those fields should not have special characters, numbers, etc. Email address should be validated against a regular formed email address. You can even go one step further to verify it is a valid email address and exists somewhere out in the cloud.

Big lesson though, secure the data. Secure your application. Do not let a shortcut become your Sony Playstation meltdown.

So a quick post about security in a site. I will not claim that I know everything about security, but I have always been about the common sense stuff of a site. Some of the things to keep in mind:

1. All data is tainted, and therefore, before you accept any data and put it in the database or file system, SANITIZE it. This is for forms, forums, wikis, etc. use PHP’s own functions at the very least to help clean the data. Never just blindly run the data through your database. You can open loopholes to malicious entries into your tables, or just have tables disappear altogether. By allowing un-sanitized data in, you are opening yourself to a SQL Injection attack. And while people will not bother with most sites, it is entirely possible they can use a SQL injection to use your server as a host or bounce for other mischievous activity.

2. Sessions are great, and use them with caution. What this means, is try not to pass a session id via a query string in the URL. Session hijacking uses this, as it is easy to grab a session ID just from a Google search, a post from a forum, or blog, etc. I just suggest not to do it. Cross-site scripting will also try to sniff the session ID as well. Saving the session ID in a cookie is fine, but regenerate the ID at times, validate the session ID when doing anything for admin functions, check out functions, etc. Just keep in mind what people are able to do on your application, and how that would be a problem if a session was hijacked.

3. SSL vs no SSL. It all depends on your application. If you have anything remotely personal that is required, just pony up the money to get a cert and put it on the server. Many times when I am browsing around, if it asks for my name and address and phone number/email address, I look for that lock/cert. Even though this is all contained in the current phone book, I am not sure what information they will ask for next. And especially if you are going to ask someone for their credit card number. Never leave that in the open.

4. Personal information on the application. If you are building a business site, and need to put business information up, then do it in a way that will not harm people inside the business. Posting email address of regular employees, direct numbers, etc can lead to a hassle and business identity theft. Put the main number/main email address (per department if there is one) and leave it at that. If it is a personal site, never post your personal information/financial info on the site. Not even to brag.

5. Leech protection. There are many ways to protect against other sites pulling in your graphics. Take the example of a college football fan who posted a full article about the Oklahoma Sooners quarterback being involved in drugs and other illegal activity. He mimicked a local Oklahoma newspaper site. He took the CSS, and layout from the web, and linked to their images they hosted on their servers. The result? Many people and even major news sites took this as a true story. The guy got in trouble, had a lawsuit against him from the local paper, an eventually took it down. This happened, and luckily the local paper was able to track this down. Many phishing attempts are done in this way. You get an HTML email from a bank saying you need to complete some information, and they give you a site that looks exactly like the real deal. Safeguard your images, and do not let other sites use those.

6. Have fun and be observant. Web applications can be fun, and can be really dangerous. Think common sense when programming, think common sense when debugging and unit testing. Do not let a small “trite” thing be overlooked, as that may be the one back door that others use to get into the site. You should have a good sys admin setting up the servers, a good network admin manning the routers and firewalls, so it is up to you to remember to be common sense about the actual application.

Some of these are really basic common sense. Most security loopholes are because people forgot the basics. There is only 1, that is right – ONE, sure way to never get hacked, get a virus, have a security hole. That is to never plug your system into the web, and never turn it on. But what fun is that?