Part 2 of PHP Security: User Validation and Sanitization for Beginners

Welcome back friends! Let’s continue to learn about PHP Security.  If you missed Part 1 of PHP Security, you can  check it out here Part 1 of PHP Security: User Validation and Sanitization for Beginners!

1Remember you’ll need a working knowledge of PHP to read this post. But not much is needed since this is intended for beginners.

Sanitizing your data: a little more information

Sanitizing data is another essential element of PHP security. In our last section, <LINK>Validating User Input and Some Sanitization<LINK to Post 1>, we did some sanitization as part of cleaning. We validated our data by checking if it matched the data that we wanted. Here are two more tips to help protect your site from the bad guys.

MySQL Injection

2

What’s MySQL Injection? Basically, it’s when bad guys try to manipulate your site to add SQL into your SQL command to get more information, modify, or delete data in your database. Here’s an example of a simple SQL injection:

$userID = $_POST[ 'user_id' ]; //  This is a value of “‘ OR 1′”;

$query = “SELECT * FROM users WHERE user_id = ‘$userID’”;

//output: SELECT * FROM users WHERE user_id = ” OR 1”

This example shows a script that has not been secured, so the creator of the script inputtthe $_POST[ ‘user_id’ ] right into the SQL for the site. Some bad guy came along and decided to change the value in the hidden form from a number to ‘OR 1’. Now, if this was used to query for one user, it would actually pull all the users from the table because when you change the script to WHERE user_id = ‘’ OR 1, it will pull all the rows from the table.

Wow, so how do we stop this trickery?Luckily, this is a beginner’s guide, so we have the perfect beginner’s method for you! PHP has a function called mysql_real_escape_string() that helps prevent injection. Before you use this function, you should still validate all the data and sanitize it, to make sure it’s clean. Let’s say we validated all the data for our comment form, and now we want to add it to the database. Butlet’s also say I’m a bad guy and try to inject some secret stuff into your site maliciously. So, I actually put the page_ID as ‘ OR 1’ as we talked about earlier and you forgot to sanitize the page_ID. T(I know you wouldn’t really forget to do that J)

Since we used our mysql_real_escape_string() function, we prevented the injection. Here’s an example:

$pageID = mysql_real_escape_string( $_POST[ 'page_ID' ] ); //  This is a value of “‘ OR 1′”;

$query = “SELECT * FROM pages WHERE page_id = ‘$pageID’”;

//output: SELECT * FROM pages WHERE page_id = ‘\’ OR 1 \”

As you can see from the output of this, the ‘ Or 1 ‘ actually became \’ OR 1 \’, which prevented the modification of the WHERE, which stopped extra data from coming out. Again, this is a first step to stopping injection and I suggest reading more about preventing this. PHP has other methods of accessing a database that include mysqli and PDO, which have their own way of preventing MySQL injection.

Just a bit of Cross-Site injection

Since we went over so much already, I wanted to write an extra bit on Cross-Site injection. It’s when the bad guys inject data into your site, which will later be sent to the client-side, to maliciously get data from users, modify your site in a way to change data, or delete data. Cross-Site injection is huge security vulnerability.So, how can you help to prevent this from happening?

Well, first you can use that trusty htmlentities() function that we used earlier. Using this ensures  that any data that you echo out will be safer so pesky hackers won’t be able to inject into your site. For example:

Let’s say that a user visits your site,comments on your page, and adds the following as their code:

<iframe src=”http://bad-dude-hacker-mafia.com/xss-injection.php” height=0 width=0 />

If we did nothing to protect our site, and this was displayed on the page every time someone viewed it, they can accomplish things like collecting data, showing information on your site, and so forth. But, if we use our htmlentities() function, we can prevent this:

echo htmlentities ( trim ( $comment ) , ENT_NOQUOTES );

//Output: &lt;iframe src=”http://bad-dude-hacker-mafia.com/xss-injection.php” height=0 width=0 /&gt;

As you can see by the output, this might display as text, but it won’t actually open the bad-dude-hacker-mafia.com site and no havoc has been caused.

 

5Over the last two posts, you’ve learned how to protect your PHP site using validation, sanitization, MySQL injection prevention, and some Cross-Site injection skills. Remember, this is only the beginning. There’s lots of information online to help protect your site, and the more you know, the safer you are.

Pass on what you have learned, Luke. There is… another… Sky… walker. “- Yoda

Yeah, Yoda’s pretty wise……

 

Some hot links for you:

http://phpsec.org/

http://www.php.net/manual/en/

http://php.net/manual/en/security.php

http://www.sitepoint.com/php-security-blunders/

 

Links to images:

http://www.awwwards.com/gallery/1141/geek-humor

http://xkcd.com/327/

http://joyreactor.com/tag/hackers

http://timothylive.net/blog/tag/xkcd/