I'm still somewhat new with php, only able to play with it now and again.
Anyway, I was recently sent an email about poss security flaws, not in php
itself but in my code on a site that I am working on. Here is a list of
security issues that poss exist and I'm just looking for other ways to
improve the overall security of the site.
*transactions
this site accepts transactions through IBILL. I need a way to validate
that after the client goes to ibill's site and gets sent to back to my site,
that it really is coming from Ibill. I hear that 'http_referrer' can be
spoofed and should therefore not be trusted, at least not by itself. Right
now I am just using a hidden form field and passing through a var from my
site, to ibill, and back to my site. Problem is of course that someone
could just copy and paste my source and change the action of the form to
just bypass ibill and go directly to the processing page after ibill, should
they find a way to know what it is. This is all assuming they know how of
course. I just need a good way of validating that they actually payed
through ibill and did not get a free account. I thought about registering
that hidden form field var within the session and comparing it to the
returned var from ibill, if that makes any sense to you guys..any idea's
here??????????? ??
*file uploads
after paying, clients can upload images via thier personal control
panel. I perform a mime check only at this time. I recently found:
is_uploaded_fil e() and move_uploaded_f ile() and will incorparate them into
the code rather than just using copy. Should I also set permissions, or
will they be set correctly after the move allready. The uploads are just
images. I am also thinking of setting file set checks also.
*client supplied text
I am also worried about "sql injection" and things of that nature. I
found add_slashes(), strip_tags(), htmlspeacialcha rs() and will start to use
those on user supplied text. Any other functions that I might want to
include and run my text vars through.
PS: I'm also open to any other issues that may not be covered here. I just
read through some old posts but just don't want to miss anything.
-thnx
Chris Mosser
Anyway, I was recently sent an email about poss security flaws, not in php
itself but in my code on a site that I am working on. Here is a list of
security issues that poss exist and I'm just looking for other ways to
improve the overall security of the site.
*transactions
this site accepts transactions through IBILL. I need a way to validate
that after the client goes to ibill's site and gets sent to back to my site,
that it really is coming from Ibill. I hear that 'http_referrer' can be
spoofed and should therefore not be trusted, at least not by itself. Right
now I am just using a hidden form field and passing through a var from my
site, to ibill, and back to my site. Problem is of course that someone
could just copy and paste my source and change the action of the form to
just bypass ibill and go directly to the processing page after ibill, should
they find a way to know what it is. This is all assuming they know how of
course. I just need a good way of validating that they actually payed
through ibill and did not get a free account. I thought about registering
that hidden form field var within the session and comparing it to the
returned var from ibill, if that makes any sense to you guys..any idea's
here??????????? ??
*file uploads
after paying, clients can upload images via thier personal control
panel. I perform a mime check only at this time. I recently found:
is_uploaded_fil e() and move_uploaded_f ile() and will incorparate them into
the code rather than just using copy. Should I also set permissions, or
will they be set correctly after the move allready. The uploads are just
images. I am also thinking of setting file set checks also.
*client supplied text
I am also worried about "sql injection" and things of that nature. I
found add_slashes(), strip_tags(), htmlspeacialcha rs() and will start to use
those on user supplied text. Any other functions that I might want to
include and run my text vars through.
PS: I'm also open to any other issues that may not be covered here. I just
read through some old posts but just don't want to miss anything.
-thnx
Chris Mosser
Comment