[How-To] PHP Security

Inquisitor · 20 Feb 2005 at 00:53

Good post, rob, thanks for the heads up

Could (one of) you explain how mysql_real_escape_string() works as I don't understand what's going on in the php.net example

lookitsjonno · 20 Feb 2005 at 11:54

it works in the same way as addslashes().

Code:

$query1 = mysql_query('SELECT * FROM users WHERE user=\'' . addslashes($_POST['username']) . '\' AND password=\'' .  addslashes($_POST['password']) . '\'')

Code:

$query2 = mysql_query('SELECT * FROM users WHERE user=\'' . mysql_real_escape_string($_POST['username']) . '\' AND password=\'' .  mysql_real_escape_string($_POST['password']) . '\'')

robmiller · 20 Feb 2005 at 11:59

It's not the same as addslashes(), though, since it escapes some mySQL-specific stuff that addslashes() doesn't. mysql_real_escape_string() is different from mysql_escape_string() in that it pays attention to the character set of the database connection.

Inquisitor · 20 Feb 2005 at 12:02

So do I just do mysql_real_escape_string ($_POST['query'])
They make it look a lot more complicated on php.net

lookitsjonno · 20 Feb 2005 at 12:06

rob > i meant they are functionally used in the same way, not that the functions are identical!

yes, the ones on php.net are just "ideal" examples checking if magic_quotes are enabled.

robmiller · 20 Feb 2005 at 12:24

Inquisitor said:
So do I just do mysql_real_escape_string ($_POST['query'])
They make it look a lot more complicated on php.net

All the ones on the man page do is stripslashes if magic quotes is on - this is so that you don't end up with this:

Input: Hello "Gentlemen"; how are 'you'?
Magic Quotes: Hello \"Gentlemen\"; how are \'you\'?
mySQL Escaped: Hello \\"Gentlemen\\"; how are \\'you\\'?

Inquisitor · 20 Feb 2005 at 12:28

I see

Should this be done with everything then?

lookitsjonno · 20 Feb 2005 at 12:30

personal preference, there are other ways around it.

another way of doing it is to turn magic_quotes off at run time at the start of the script using ini_set.

Inquisitor · 21 Feb 2005 at 00:37

Thanks, another question now

does the code to prevent errors from being displayed need to be placed in every php script?

lookitsjonno · 21 Feb 2005 at 07:30

it is good practise setting error_reporting() to error_reporting(E_ALL) during development to show all errors including missed variables etc...

Once your script goes live, its advisable to turn all error reporting off to prevent people, or should i say "potential hackers" from getting any information about the error that occured. To turn error_reporting off use: error_reporting(0).

another useful function is trigger_error(), as it allows you to make your own error messages up. The good thing about it is that you can specify what error level reporting level (error, warning or notice) for that error to apply to, so you dont need to go through your script changing loads of stuff. e.g:

Code:

		if (!$this->dbConn = @mysql_connect($this->host, $this->dbUser, $this->dbPass)) {

			trigger_error('Could not connect to database server', E_USER_ERROR);

		} elseif (!@mysql_select_db($this->dbName, $this->dbConn)) {

			trigger_error('Could not select database', E_USER_ERROR);

		}

of you used exit() or die() here the error message will always be displayed.

using trigger_error, if error reporting it turned off, the error message shouldnt appear.

Inquisitor · 21 Feb 2005 at 14:14

Got yet another question, regarding md5 hashing when storing passwords.

If md5 is a one-way 'encryption' method, then wouldn't that present a bit of a problem if the user forgot his/her password? :confused:

Augmented · 21 Feb 2005 at 14:18

Inquisitor said:
If md5 is a one-way 'encryption' method, then wouldn't that present a bit of a problem if the user forgot his/her password?

Yes, a new password has to be generated (overwriting the old one).

Inquisitor · 21 Feb 2005 at 16:39

That's what I though, but some websites will simply email you your password if you forget it, I assume that would use symmetric encyption like mcrypt? Is that ok to use for encrypting passwords?

robmiller · 21 Feb 2005 at 16:53

Inquisitor said:
That's what I though, but some websites will simply email you your password if you forget it, I assume that would use symmetric encyption like mcrypt? Is that ok to use for encrypting passwords?

No, it defeats the entire object of hashing them. If you can decode them with a simple PHP function, so can any attacker and then it becomes worthless.

Inquisitor · 21 Feb 2005 at 17:09

So how do these websites send the password back via email, assuming they storing them securely? (I would have thought they were, as they're quite large websites)

kiwi · 21 Feb 2005 at 17:33

all large sites that i've seen tend to reset your password.

Inquisitor · 21 Feb 2005 at 17:34

Strange, I'm sure I've seen ones that email them back to you... bah, whatever

lookitsjonno · 21 Feb 2005 at 19:48

some of them do i know, but its VERY risky and very foolish.

robmiller · 21 Feb 2005 at 20:06

Inquisitor said:
So how do these websites send the password back via email, assuming they storing them securely? (I would have thought they were, as they're quite large websites)

Well they can't have hashed it, so they must store it in some form of reversible encryption, which means that an attacker could get everbody's passwords if they managed to get access to the database. It doesn't seem to serious, but if you think that almost everyone uses the same password for most of their sites then it's pretty serious.

kiwi · 21 Feb 2005 at 20:18

could they not write their own encyption? for example a simple ROT-13 would leave the password unreadable if database access was gained. obviously, they would use a cyper that's a little harder to break