Re: PHP Security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On June 25, 2020 12:24:28 PM UTC, Ashkar Dev <ashkardev@xxxxxxxxx> wrote:
>Thanks for your replays,
>
>but could any of you give some codes of validating a form field, for
>example, getting the first name field text and inserting it to the
>database
>at this line:
>
>$firstName=$_POST('fname');
>
>which functions of PHP I should use here to put  $_POST('fname')  on
>to remove tags from it, and prevent other security-related attacks?
>
>And if I used pg_query( , ) is it be safe if I don't use PDO? how it be
>safe.
>
>And If anyone needs to learn PHP, which website is good to provide
>non-copyrighted codes? while PHP manual codes are copyrighted so what's
>the
>benefit of reading the manual without using the codes they provide?
>
>
>
>
>
>On Thu, Jun 25, 2020 at 9:51 AM Ashley Sheridan
><ash@xxxxxxxxxxxxxxxxxxxx>
>wrote:
>
>>
>>
>> On June 24, 2020 11:36:15 PM UTC, Kevin Waterson
><kevin.waterson@xxxxxxxxx>
>> wrote:
>> >The best way to learn, is to start coding, and ask lots of
>questions.
>> >There are plenty of sites on the web which provide shitty code.
>> >DO NO COPY AND PASTE.
>> >While the urge to simply copy somebody's code, and paste it into
>your
>> >application is inviting, this practice only leads to heartache and
>> >tears.
>> >You are certainly on the right tract when asking about security.
>While
>> >you
>> >can write insecure code in any language, PHP perhaps lowers the bar
>in
>> >this
>> >regard.
>> >As you question relates to database, let's start there.
>> >PHP provides PDO for database operations, and allows variable
>binding
>> >and
>> >prepared statements.
>> >Prepared statements are great for stopping SQL injection, but this
>is a
>> >last stop.
>> >The real question is, Why would you send data to a database query
>> >without
>> >being sure of the type and length of the data you are sending.
>> >Validation:
>> >Everything coming from userland (eg: a website) should be regarded
>as
>> >insecure.
>> >Sure, you can put some HTML5, or javascript, validations on an email
>> >address, but changing the form type from "email" to "text" is a
>trivial
>> >task.
>> >To be absolutely sure of the content of input, you must create you
>own
>> >validations.
>> >How long can this address be? eg: If the email is being stored in a
>> >VARCHAR
>> >field, then 255 would be the max length.
>> >It must also contain a "@" character.
>> >It must end in ".something"
>> >These validations must be performed BEFORE you send the email
>address
>> >to
>> >the database.
>> >
>> >I, and many others here, are happy to answer your questions, and it
>> >sounds
>> >like you are beginning at the right place.
>> >
>> >Kev
>> >
>> >On Thu, Jun 25, 2020 at 6:56 AM Ashkar Dev <ashkardev@xxxxxxxxx>
>wrote:
>> >
>> >> Hi all,
>> >> could anyone give some detail about how to make a PHP web
>application
>> >> secure?
>> >> for example validation of form while using a PostgreSQL database,
>> >>
>> >> by the way, could you explain how users can freely learn PHP while
>> >the
>> >> codes from the PHP website are copyrighted, are developers be able
>to
>> >use
>> >> codes from the PHP website or manual?
>> >>
>>
>> To add to the security question, have a look at the OWasp top 10 (
>> https://owasp.org/www-project-top-ten/ ) and things like the PHP
>security
>> advent calendar (
>> https://blog.ripstech.com/2018/php-security-advent-calendar/ )
>> Thanks,
>> Ash
>>

There are lots of different types of sanitisation you can perform on data. For inserting it into a database, you need to to prevent SQL injection. PDO is preferred for this, but from the looks of it (I've not used it myself) pg_query_params() should work too. Don't use pg_query(), it's not considered safe when used with user supplied data. Look at the manual pages on how to do this.

Don't remove html tags as part of SQL injection prevention, that's not needed. Only do something like that if you then need to output the data into HTML. It's recommended to only perform the sanitisation that you need, rather than run everything.

You can use code from the manual, but if it's code provided in the comments, you may need to preserve original attribution comments left by original authors. However, the manuals are a great resource for everyone to read code to understand how the smaller parts fit together, and understand how a function or class works.
Thanks,
Ash




[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux