No matter how hard we try, we always seem to forget to secure certain aspects of our scripts, whether be it an input field or data being inserted into a database. It would definitely be nice to fall back on security precautions that we implement into our scripts whether or not we have sanitized everything needed. Here are some tips and coding styles to achieve just that.

The Solution

The difference this solution can make is massive depending on how large the script is. We generally know that the larger or more complicated the script is the more we will miss on securing things. Using a precautionary solution enables us to have automatically patched many things we may have forgotten to sanitize or secure.

For example, forms provide a way for users to provide data for input into your database or other storage methods. We know that forms are the general cause of security flaws in many scripts that fail to have properly sanitized input due to ignorance or the cause of forgetting to do so. Another common missed aspect is forgetting to sanitize superglobals such as $_POST, $_REQUEST, $_GET, and others.

Furthermore, developing a solution that performs the sanitization and takes security measures for us is an excellent fall back as it could do the patching work for us in many situations, which provides us the time to create a permanent fix.

Which Scripts Benefit the Most?

Many scripts we create may be too small to bother developing a fallback component, as it may be larger than the script itself. Thus, it will definitely be a waste of time to do so. However, if you are developing a fairly large system, whether hitting the mainstream or not, spending the time to develop a fallback component will definitely be worthwhile, especially if the system being developed handles transactions or is built around user inputted data.

If your script happens to fall in the too small to bother category, you can still take certain precautionary measures while developing it. These precautionary measures include frequently testing your work as you go along for security flaws and going over your work multiple times. These measures should also be taken in any sized project, as checking your work is always a great thing to do.

Creating These Solutions

Creating a fallback component depends on your needs and expectations of how it should function. It can be a complex solution and can automatically detect the input type and sanitize accordingly, or it can be a simple solution implementing a standard sanitization or security method throughout. You should remember that these fallback solutions create temporary security patches to certain security flaws until you can get in and create a permanent patch, thus, you should not rely on this component as your only means of sanitization and security.

When creating these solutions, creating classes is generally a good idea as they act as an interface handler for each of your solutions. In order to better understand and grip this idea I will briefly walk through a simple form handler class that takes a default sanitization method throughout.

Let us dive right in to the way this form handler class was structured and the way it functions. This class was designed to replace creating your own forms with its own infrastructure to assure that the form is handled securely. However, this class lacks auto detection of deciding what security measures to take based on the user inputted data, nevertheless, it does take basic security precautions to assure that the data being handled is not abrasive.

Examples and Best Practices

Let us look at one of its methods, the text area handler:

...
//begin a foreach to grab 'em values
foreach($array as $key => $value)
{
//begin the switch case to identify the values
switch($key)
{
Case 'name':
$name = $value;
Break;

Case 'class':
$class = $value;
Break;

Case 'id':
$id = $value;
Break;

Case 'value':
$i_value = $sanatize->specialTrim($value);
Break;

Case 'required':
$required = $value;
Break;

Case 'label':
$label = $value;
Break;

Case 'hint':
$hint = $value;
Break;
}
...

As you may have noticed, it automatically sanitized the user-inputted value, it is simple, however effective. In the code snippet above, it is running a check on all the possible fields available for a textarea box; this is designed to assure that unwanted fields are filtered out.

Another key aspect to this form handler class is the way it handles some of the superglobals mentioned earlier:

public function post($parameter)
{
$cleanup = @$this->stripBreak($parameter);
$post = @$_POST[$cleanup];
return $post;
}

/******
* @method public
* @return $_REQUEST
* @param string the $_REQUEST param which is sanatized
* This handles the $_REQUEST variable which also sanatizes its value
*/

public function request($parameter)
{
$cleanup = @$this->stripTags($parameter);

There are a variety of Content Management Systems (CMS) that can fulfill many of your sites needs, however, WordPress is usually recommended as the leading publishing platform. With popularity comes vulnerability and WordPress sites are usually open to all sorts of potential attacks from hackers, spammers, and other mal-intentioned Internet users trying to compromise the security of your WordPress environment.

Below we’ve compiled a few Valuable Tips for Locking Down Your WordPress Website allowing you to add several layers of security to your site.

Update WordPress

It might seem a little basic and obvious though a surprising number of WordPress users forget to update their site. If you’re looking or are in need of an update and you’re super-security-conscious don’t upgrade to the next big release right away. Have a little patience and wait for the bug fixes to come in and then make the installment. This will save you tons of headaches as you’re likely to want to fix flaws yourself if they haven’t been exploited on a large scale.

Truthfully speaking you’re taking unnecessary risks by not updating, so if you have a WordPress installation that is at least two versions old, update it as soon as possible. It literally takes just about 5 minutes according to WordPress.

Back-Up Your MySQL Database on a Regular Basis

It should be at the top of your list to always back up your site files and database. Try to regularly remember having to back-up your MySQL database by exporting your MySQL data as a .sql file to be stored in a keep-safe location. Since it’s easy to forget having to back-up your files on a regular basis, it’s much easier to automate this task.

Download and use the plugin called WordPress Database Backup to automate your backups. This plugin provides you with the options to automate your back-up on hourly, daily, weekly, and monthly intervals. You can find a large variety of tools you can use for database backup automation, it would be a safe-haven to explore these tools and make a selection based on overall performance and effectiveness.

Using a Strong Password

Using a password that’s only easy to remember and offers no form of complex structure is one of the main reasons your WordPress site may be hijacked. A complex password is probably one of the easiest and most overlooked preventative steps you can take towards improving the security of your WordPress install. There are several tools available that gauge the complexity of your password. One of them being Microsoft’s completely free web-based tool called Password checker.

The Security & Integrity of Your wp-admin Folder

It’s no question that the wp-admin folder is a key component in your WordPress install. This file contains all of the elements of design and functionality that deal with the administration aspect of your site. If for any reason the security of the files in this folder were to be compromised, an awful lot of bad things can happen to your WordPress installation, as well as your domain.

You can stop a security breach on the wp-admin folder by limiting the IP addresses that can access it via an .htaccess file (for Apache web servers). Start by creating a new blank document in any text or source code editor. Save this file with the name: .htaccess.

order deny, allow
allow from 125.555.55 #Your IP Address
deny from all

Finalize this step by saving the file and placing it inside your wp-admin folder. This will tighten the security of your wp-admin folder along with the integrity of your site.

Secure Connections to Your WordPress Admin Pages

Another technique that will allow you to lock-in the security of your site is by logging into your WordPress Admin Panel through encrypted SSL connections. If your host doesn’t include an SSL Certificate along with your plan, they’re well worth the investment. As soon as you’ve obtained your SSL connection, run your sessions on https:// instead of http:// protocols by forcing SSL connections on admin-related pages and functions.

You will also have to access your wp-config file and insert the following code:

define('FORCE_SSL_ADMIN', true);

Hiding Your Current WordPress Version

Several WordPress developers often like to display the current WordPress version in their source code. By having this information publicly available this makes it easy for attackers to exploit possible known vulnerabilities specific to that WordPress version. In order to remove this from your source code you’ll have to access your theme’s header.php file, search for the string of code that looks similar to the following code block and then remove it:

Using SFTP instead of FTP

Contrary to what many believe FTP isn’t as secure as you may think. By utilizing an FTP application to connect to your site, you’re simply sending your password in plain, readable text every single time you log in. If a hacker wanted to ‘listen in’ or intercept that information, it wouldn’t be a far-fetched task for them to succeed through your FTP.

You can fix this issure by beginning to use the Secure File Transfer Protocol (SFTP) instead of FTP from the moment you decide to access your site. It’s simplicity is beyond FTP and there are a few web hosts who have this turned on by defualt (2Eleven). If your host does not provide this by default then all you have to do is ask your hosting company which port number to use in order for the SFTP to take effect, then change the settings in your FTP application.

Security has always been a concern of web developers. No site is safe from hacking attempts. Developers need to take precautions when building their applications so that they don’t become the victim of a hacking attempt. There are a number of things PHP programmers can do to prevent these kinds of attacks.

What Is XSS?

XSS stands for Cross Server Scripting, and is the most common technique for hacking into a website. Most of the tips we will be talking about today will be things designed to prevent XSS attacks on your server. XSS is when someone injects code into your website, and gets it to execute. This can be used for a variety of malicious purposes.

Here is an example of a simple XSS attack I was able to perform on my site. I noticed that my user name was contained inside a tag on my profile page. I changed my user name to this:

This caused an alert fired away every time someone opened my profile page. It would not have been difficult for me to import an external JavaScript file, or write one that did something more malicious.

List of common XSS exploits

Sanitizing Input

Most XSS attacks come from manipulating the input of a site. Input comes in two forms: Forms and GET variables. You need to take care to properly sanitize these inputs before doing anything else with them. Here are a few things you can do to make sure the input you receive is safe:

Use PHP’s addslashes Function

This is a very simple thing you can do that can help prevent attacks. Simply run all of your input through the addslashes method in PHP. The slashes help escape characters that could otherwise be dangerous.

Use the strip_tags Function

strip_tags() is another handy PHP function that can help sanitize input. You also have the option of allowing certain tags, so if you have a page where users should be allowed to use some HTML (for example, a blog post) you can still allow them to use some tags. However, be wary of allowing particularly dangerous tags, such as <script> or <iframe>.

Remove JavaScript From Input

By Using regular expressions, we can make sure that no JavaScript gets through to execute. While using strip tags to remove tags can take care of some JavaScript, it doesn’t handle instances where people may put a JavaScript event on another tag, such as an <a> tag. Below is a simple function that removes JavaScript from the input it is given, by using regular expressions:

function removeJavaScript($input){
  return  preg_replace('#]*>.*?#is','',$input);
}

Remove Flash From Input

Much like JavaScript, Flash can also be embedded via XSS and used for malicious purposes. Below is another function, which will strip Flash from the input given:

function removeFlash($input){
    return preg_replace("/<object[0-9 a-z_?*=\":\-\/\.#\,\\n\\r\\t]+/smi", "", $input);
}

Putting It All Together

Below is a handy function I’ve written that can handle all of the above methods of cleaning input. It also gives you the option of allowing JavaScript, Flash, or certain HTML tags:

function sanitizeInput($input,$allowedTags=””,$allowJavaScript=false,$allowFlash=false){
	$input  =  strip_tags($input,$allowedTags);
	if(!$allowJavaScript){
		$input = preg_replace('#]*>.*?#is','',$input);
	}

	if(!$allowFlash){
		$input = preg_replace("/<object[0-9 a-z_?*=\":\-\/\.#\,\\n\\r\\t]+/smi",
"", $input);
	}
	return $input;

}

Check The Referring Page

Web sites are able to send requests from any server to another, and this can be dangerous. One way of making sure input is coming from where it is supposed to is to use the $_SERVER array in PHP and check what the referring site is. You can also add unique keys to forms and some pages to make sure that the input you are receiving is coming from a reliable source.

NETTuts has a great tutorial on this: Secure Your Forms with Form Keys

Using Encryption

One of the biggest no-nos in all of web programming is storing sensitive information in plain text inside of a database. Things like passwords, social security numbers, and credit card numbers are very common pieces of data that should not be stored in a database.

It is doing a disservice to the users of your site, because if your database was ever to be compromised, you have put your users in addition to yourself, at risk.

PHP’s md5 and crypt functions are great tools for making sure your database is secure. Crypt allows you to use a salt variable, to help make encryption more secure, while md5 does not. Here is an example of how to encrypt passwords, and how to verify them when a user tries to log on, using the crypt function:

//encrypt the input
$input  = $_POST['password'];
$salt    =  “makeThisSecure”;
$safePassword  = crypt($input,salt);
//just re encrypt the password to check
$password_attempt = “password”;
if(crypt($password_attempt,$salt) == $safePassword){
	//log the user in
}

Using CAPTCHAs

If you have any kind of form that does not require a user to be logged in, using CAPTCHAs is a good way to prevent spam bots from inputing bogus information. There are a lot of good CAPTCHA scripts that are freely available, such as : www.phpcaptcha.org/, and here is a tutorial on how to create your own CAPTCHA

Have Secure Passwords

A number of hacking attempts come from people not having very strong passwords. Even Twitter fell victim to this not long ago (link to article). Make sure that your password has a good mix of letters, numbers, and symbols, and that it isn’t a word that can be found in the dictionary. This includes passwords that are common words, but are spelled in ‘leet speak’, for example drag0n.

If you take these steps, you should have a much more secure web application. It can sometimes be a hassle to update existing projects, but it is nothing compared to the headache you will suffer if you don’t, and become the victim of an attack. It is important that you don’t think of securing an application as an afterthought, but instead something that is part of your regular development process.