security threats in php

Mysql Injection, Cookies, Sessions.

Not, of course, a problem with PHP, but a problem with the programmer.

If you the programmer know how to correctly program an application/webpage you need not worry about *loop holes*.

Kind regards.

The biggest threat would probably be user input.
Always assume use input is meant to harm your server in some way and validate it accordingly.
That should take care of most threats.

Btw, I count Sessions, Cookies and stuff like the User Agent and Referrer variables as user input. Everything the browser provides can be manipulated by the user.

I coulda sworn we had another thread about this somewhere....

The rule of thumb when dealing with Users:

1. Validate input.
2. Escape output.

Validate Input

To achieve the former, follow three simple rules:

1. Don't trust the User
2. Don't trust the User
3. Don't trust the User

There is a fourth rule (Don't trust the User), but I left it off to avoid redundancy.

What do I mean by that? In a nutshell: $_POST['itemid'] is not an integer, $_POST['email'] is a phone number, $_GET['username'] probably contains malicious SQL code.

Joel Spolsky explores using Hungarian notation to make unsafe User input obvious (http://www.joelonsoftware.com/articles/Wrong.html), but you can just as easily solve the problem by building good habits.

Never use superglobals in any of your code. Always clean them as soon as you get them:

[code=php]
$itemid = (int) $_POST['itemid'];
$email = validate_email( $_POST['email']);
$username = mysqli_real_esc ape_string($_GE T['username'], $conn);

/** UNSAFE */
$query = "SELECT ... WHERE `Username` = '{$_GET['username']}' ...";

/** SAFE */
$query = "SELECT ... WHERE `Username` = '{$username}' ...";
[/code]

SQL injection is perhaps the most spectacular vulnerability that can be exploited when a programmer fails to validate input, but you might also encounter oddness when, for example, processing payment data, sending requests to web services and other processes that involve sending or storing User input.

Escape Output

Always escape anything that gets output by your application. The majority of the time (escaping content for the User's web browser), you can achieve this using the built-in htmlentities() function (http://php.net/htmlentities).

Escaping output thwarts vile XSS attacks and prevents oddly-formatted User input from breaking your HTML.

Note that you won't always find yourself escaping data for HTML. When sending data to a web-service, be sure to XML-escape any tag values that you send (htmlentities() can handle this just fine).

If you are generating a CSV file, you need to escape commas, and so on.

Output escaping can also be used to improve the quality of your User experience. For example, when outputting a value that should be a phone number, run it through a function that formats it in (###) ###-#### format (watch out for international phone numbers!).

I generally use
[PHP]<?php
function htmlspecialchar s_array($arr = array()) {
$rs = array();
while(list($key ,$val) = each($arr)) {
if(is_array($va l)) {
$rs[$key] = htmlspecialchar s_array($val);
}
else {
$rs[$key] = htmlspecialchar s($val, ENT_QUOTES);
}
}
return $rs;
}
$array=htmlspec ialchars_array( $array);
?>
[/PHP]


before fetching data from database .And before inserting into database i use this script

[PHP]<?php
function sanitize($input ){
if(is_array($in put)){
foreach($input as $k=>$i){
$output[$k]=sanitize($i);
}
}
else{
if(get_magic_qu otes_gpc()){
$input=stripsla shes($input);
}
$output=mysql_r eal_escape_stri ng($input);
}

return $output;
}
$_POST=sanitize ($_POST);
?>[/PHP]


Is there any script to use ..So as to ensure secure data injection to database.


thanks,
pradeep

As long as you mysql_real_esca pe_string() your input you will be fine.