Return to Snippet

Revision: 2216
at January 16, 2007 23:02 by pckujawa

Initial Code
Regarding user input (e.g. web forms, but pretty much any possible user input):

Check the length of the input to verify that it is less than your max (always set some sort of maximum) and greater than zero.

In PHP with MySQL, use the function "mysql_real_escape_string" when interacting with the database (db).

Always clean your output (to prevent XSS, or Cross-Site Scripting):
In PHP, you can use the functions "htmlentities" for textual output and "urlencode" for URI's.

Never accept user input for filenames! Write your own filename, perhaps based on pre-cleaned user input, but preferably just an alphanumeric name of your choice (which can be stored in the db for reference). And before you write the file, use the PHP functions "basename" and "realpath" (i.e. basename(realpath($filename)) ) in order to establish exactly where the file would end up if you do write it as is. Also very important: before creating the file, use the PHP function "umask," i.e. umask(077), so that files have their permissions locked down before they are created. This prevents someone from accessing the file before you have time to manually change the permissions.

Whenever a user logs in, use the PHP function "session_regenerate_id" to prevent fraudulent access to their account or a session-fixation attack.

More to come... Please post your own.

Initial URL

Initial Description
I got most of these tips out of a great book published by O'Reilly (my favorite web-design publisher): "Programming PHP, 2nd Ed." by Lerdorf, Tatroe, and McIntyre. Another good book is "Essential PHP Security," also published by O'Reilly.

Initial Title
User input validation and security / general security in PHP and programming in general

Initial Tags
php, security, web

Initial Language