The one major flaw in the article is that it is suggested input validation is enough protection. This is not the case.
He notes that their solution just isn't enough to really protect much of anything in your scripts. He corrects the articles where it says that mysql_real_escape_string is a good secondary line of defense by suggesting that you always use it. It is a much more effective way to remove potentially harmful characters than a regular expression of your own devise.
On DevShed today there's a new tutorial looking at a method for protecting your application (your MySQL/PHP application) forms from malicious attacks like SQL injections.
It has been known for a while that if a form is unsecured, malicious code in the form of MySQL injection will be initiated to attack the site. HTML forms such as drop down menus, search box, check boxes are all susceptible entry points of this type of abuse. This article will explain what happens in this kind of attack, and how to prevent it.
On the PHPFreaks.com website there's a new article looking at one way to help protect your website from those evil doers out there looking to cause you and your data harm - PHP-IDS.
PHPIDS (PHP-Intrusion Detection System) is a simple to use,
well structured, fast and state-of-the-art security layer
for your PHP based web application. The IDS neither strips,
sanitizes nor filters any malicious input, it simply
recognizes when an attacker tries to break your site and
reacts in exactly the way you want it to. [...] In a nutshell PHPIDS is an advanced intrusion detection system written with performance on a large scale in mind. The basic installation and configuration is pretty straight forward.
They (briefly) step you through the installation and configuration of the tool and provide a sample script to get the ball rolling - a file that can be auto_prepended to all scripts run on your Apache server to filter and log incoming requests.
The PHP Group has officially released the next version in the PHP 5.2.x series (as an update to the flaw in PHP 5.2.7) - version 5.2.8:
The PHP development team would like to announce the immediate availability of PHP 5.2.8. This release addresses a regression introduced by 5.2.7 in regard to the magic_quotes functionality, that was broken by an incorrect fix to the filter extension. All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively you can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.
You can download this latest release from the downloads page on the main php.net website or from your favorite local mirror.
From an important notice posted on the main PHP.net page - a bug has been found with PHP 5.2.7 and it has been "recalled":
Due to a security bug found in the PHP 5.2.7 release, it has been removed from distribution. The bug affects configurations where magic_quotes_gpc is enabled, because it remains off even when set to on. In the meantime, use PHP 5.2.6 until PHP 5.2.8 is later released.
The 5.2.7 downloads have been removed from the downloads page but you can now redownload the PHP 5.2.6 source and binaries if you need them.
You can also find out more about the issue in this post on Stefan Esser's blog
NOTE: This release has been recalled due to a security bug found involving magic_quotes_gpc.
The latest version in the PHP 5.2.x series has been released today - PHP 5.2.7:
The PHP development team would like to announce the immediate availability of PHP 5.2.7. This release focuses on improving the stability ofthe PHP 5.2.x branch with over 120 bug fixes, several of which are security related. All users of PHP are encouraged to upgrade to this release.
These security updates include an update of the PCRE version, fixing an incorrect order with php_value, correcting a possible overflow in memnstr and more. Check out the full Changelog for more information on these updates and improvements. You can download this latest update from the PHP.net website (or your favorite mirror).
DevShed finishes off their series on database security in PHP applications with this look at protecting your application and data from the threat of SQL injections.
In this article we will continue to explore various attacks that can be made on a database and how to prevent these attacks. We will also build the last page of our site.
Their example script is a login for a secured area of the site and contains a possible place for an injection - non-validated user input. With something as simple as making the username a single quote, an attacker could find out more about your database structure and use that to get further into your systems. To avoid it, they recommend validating with the mysql_real_escape_string function as a first line of defense.
DevShed continues their look at security in (PHP) web application in this next-to-last part of their series - it focuses on database a password security.
In this article we will discuss security for databases accessed through the Internet. We will also examine the issue of password management, since handling that task properly will help us make our web site and its applications more secure.
They continue to use their "Internet cafe" application as an example to show proper escaping practices, the creation of a password management script (including validation of format) and includes a full listing of the code so far.
DevShed continues their look at web application security with part six of the series - a look at creating a registration form your site's visitors can use to create accounts/logins.
In this article we will be exploring the registration script of our site. This script is responsible for registering new users for the website. We will also be looking at database security; since the registration script also uses a database table, we will implement some of the concepts that we will be discussing.
Their example is relatively simple - it checks to ensure that none of the fields are empty, that one password matches the other and that the email address is in a valid format (using a regular expression). If it passes completely, its dropped into a MySQL database table that stores current user information.
In this new tutorial from DevShed, they continue the series looking at developing a simple web application with security being one of its primary goals.
In the last article we started to build our site and then continued to explore the login script. In this article we will continue to explore the script but will also discuss in detail the process of authentication and its security implications. We will eventually look at some of the common attacks that are perpetrated by malicious users.
This fourth part of the series adds the authentication piece to the puzzle - a simple system that does some form validation and checks the input against a MySQL table (users). Full code explanation and example usage is included.
