Basic Dynamic Website Security
By Tom C W Higgins
At a most basic level, PHP can be used to simplify the navigation of a website by using the include function.
This, added to each page of the website can be used to include a html file that contains the sites navigation links.
The main advantage of this is that the webmaster can simply alter that one file, instead of every single page on the site.
Obviously if your site has thousands of pages, this is going to save you some time! The include function
basically tells the server your website is hosted on, to take what's in the included file and put it into the code of your page.
Typical use of the include function is as follows:
When the page loads, you won't see the PHP code but instead see the contents of the included file.
In the case above, you would see your navigation links etc where they should be.
The next step up in using PHP to enhance your site is for a contact form. This is where the first security
concerns come up. A contact form will allow anyone to enter data into the fields which is sent to your PHP
file that processes that data. User entered data must never be trusted!
There are many things a typical user can do which may cause you annoyance, or in the case of a purchase form,
cause you to never receive the order, e.g. mistyping their email address! This is why form validation is important.
When a user makes a mistake regarding form field input, they should be notified by your form processing script,
and instructed to correct the mistake and resubmit. This is usually quite a simple thing to do by using regular
expressions to validate email address and using a random anti-spam number generator to stop spam bots.
Do not use CAPTCHAs! They are completely over rated and extremely frustrating to most users. A simple five digit
number that is randomly generated and rendered out as a picture will suffice to stop automated form filling bots.
So, some simple validation techniques and a random number picture generator will suffice for 90% of the
webmasters and blog owners out there. If you plan on using MySQL with some aspect of your website,
such as letting users upload information for things like profiles etc, then you will need to go a step further.
The biggest threat is an MySQL injection attack. This is where a user types in some PHP and SQL
code into a field in your form. That data is then sent to the form, and your processing script interprets that as
commands and functions, not as raw text. So if someone where to send an SQL string that looked something
like "DELETE * from myblog", every record in "myblog" would be deleted and that would be the end of your blog,
posts and comments to boot!
Other sneaky things people may try to do include sending a set of commands to
your script that result in them being able to place a link somewhere on your site. This
is often done by using the fwrite function to append code to one of your html files.
These are no small issues, they must be addressed or people could wreck your plans for internet domination!
The solution is very simple. There are two functions that can be used to help secure your forms and scripts.
The first is to use a function known as strip_tags($myvar), where "$myvar" is the variable that contains
the input from the form. A working example would look something like this:
$name = strip_tags($_GET['namefieldfromform'];
This strips any tags that the user may have entered into your form. It's useful for stopping people from
adding in their own links to websites in things like comments. The other and more important function is
mysql_real_escape_string(). It is a little trickier to use but still quite easy to implement. First
you must construct the query you are going to send to your database:
$query = "INSERT INTO image (sourceurl, thumburl, ratings, dateadded, description, submitedby, category, keywords) VALUES ('$efilename', '$thumbname', '0', '$date', '$desc', '$name', '$cat', '$tags')";
You would then escape those variables that are in the query thusly:
mysql_real_escape_string($efilename);
mysql_real_escape_string($thumbname);
mysql_real_escape_string($date);
mysql_real_escape_string($desc);
mysql_real_escape_string($name);
mysql_real_escape_string($cat);
mysql_real_escape_string($tags);
This will ensure that those variables have no harmful text or code inside them, and so are totally
safe to use with the database. Remember to never trust information that is entered
by users, as you never know who might be trying to cause trouble!
Tom C W Higgins Provider of advice for start-up webmasters and web based ftp clients.
More Web Design Coding Issues: • Don't Let doors.txt Take Control of Your Email Server • How To Effortlessly Use Streaming Audio • Basic Dynamic Website Security • What is a Web Service? • Update Your Entire Website Instantly Using Server Side Includes (SSI) • How to Redirect a Web Page Using a 301 Redirect • Create a Simple, Effective PHP Form for Your Web Site • What is that Double Forward Slash in the URL? • Creating a Secure Website Using Secure Socket Layer (SSL) • Video - HTTP caching
|