Security, security, security! - My Forums

Re: Security, security, security!

goldsky — Mar 01, 2012, 04:48 AM

Tutorial covers Cross Site Scripting (XSS), Cross Site Forgery Requests (CSFR), SQL Injection, globals, and much more!
http://videos.code2design.com/video/play/PHP/11

Re: Security, security, security!

goldsky — Aug 01, 2011, 10:25 AM

exactly.

Ow, one more thing.
Just be careful when you’re filtering numbers.
Price uses float number.

Re: Security, security, security!

polrbear — Aug 01, 2011, 08:49 AM

Okay, I think the light is beginning to break here. Correct me if I’m wrong: As long as my script is a snippet that loads through index.php, i.e. through MODx itself, and cannot be accessed directly, MODx handles essential sanitization of $_POST (with the capability to allow special characters in $_POST if desired, which I have disabled in system settings). Beyond that, we’re looking at other potential security issues with PHP scripts - not $_POST exploits.

Actually the only 3rd-party classes coming into play here, apart from the aforementioned Authorize SDK, are those provided by Visioncart team. I have modified their fledgling Authorize module some - changing $_REQUEST to $_POST for one less attack vector.

Re: Security, security, security!

goldsky — Jul 31, 2011, 10:26 PM

As opengeek has mentioned above, MODx itself sanitizes all the requests trough its index.php gateway, with an option.

What I mean about ’3rd party’ is the part of your scripts that does not belong to MODx (+extras) and your own script.
I’ve never used http://developer.authorize.net/ , but keep your eyes on their security notifications.
To simplify your work, you can use some ready-to-use 3rd party classes to sanitize your input.
I’ve used htmLawed.

I bet you’re using other scripts for several purposes, like Member Management, or Newsletter.
If you’re using those scripts that you find from internet (like from http://phpclasses.org), audit the code.

Or, are you asking about the ’webroot’?

Re: Security, security, security!

polrbear — Jul 30, 2011, 09:36 AM

I’m not using any AJAX and my third-party script is just the Authorize SDK. Could you dumb down your other points a little? I’m kinda lost :p

Re: Security, security, security!

goldsky — Jul 30, 2011, 01:53 AM

That’s depends on the whole script, though.

If it’s placed on the webroot, you should check the access validation to the direct file.
Especially if you’re using any AJAX processor file.

If you’re using 3rd party classes, check them too.

Re: Security, security, security!

polrbear — Jul 29, 2011, 03:36 PM

Quote from: goldsky at Apr 05, 2011, 02:22 PM

sanitize($_POST);
$_POST = array();
$_POST = sanitizedPosts;                      // also can be done

Somewhat new to PHP security issues here. I am building on the Authorize.net payment form for Visioncart, and I want to make sure my code is secure against any kind of script injection badness etc. The credit card form is processed and validated through Formit. Should simply doing recursive sanitizing on $_POST as in this example, called as a preHook, give me a pretty good wall of protection in principle? I realize this question may be too general to answer and I can post specific code if that would help.

Re: Security, security, security!

goldsky — May 05, 2011, 06:28 AM

More tips on using $_GET:

If you use $_GET in your scripts,

try to encode it (eg: base64_encode) + use hash if you need to.
Salting the value is also very useful, especially if the Salt is not a static value, but a random string that is stored inside the database, which is different to each installed site.

$_GET is a common hole for the hacker to break your site.

That’s also applied to the Ajax processor/controller files.

Re: Security, security, security!

goldsky — Apr 07, 2011, 11:05 AM

@OpenGeek,
That’s for the $_POST.
How about the $_GET (let’s say, for the AJAX connector) ?

Re: Security, security, security!

opengeek — Apr 05, 2011, 11:49 AM

Everyone knows that the GPC variables can already be sanitized on any request that goes through the MODX front-end gateway (i.e. index.php), right? You do not necessarily need to apply this manually (see NOTE below). In addition, if you use the MODX objects/API to make changes to the database, that will also be automatically quoted via PDO prepared statement bindings, e.g.

getObject('myClass', $myPK);
if ($myObject) {
    /* fromArray() calls set() for each $_POST var that matches a field in your object */
    $myObject->fromArray($_POST);
    /* save() uses prepared statement bindings to automatically quote the values being sent to the db */
    $myObject->save();
}

But remember, this is just basic sanitization—it is still up to you to define what is and what isn’t valid user input based on specific usage requirements. What if you need to allow some HTML tags? There is a gray area between security and validation here, but a solid combination of both, along with making sure anything that is output back to the user contains nothing that can be exploited (e.g. XSS injection) should always be the goal.

NOTE: There is a System Setting, allow_tags_in_post to allow MODX and HTML tags in the $_POST variable which is enabled by default. To not allow this, for instance in the front-end of your website, you can add this as a Context Setting set to "0" to the web (or any other front-end) Context. This is only enabled by default so that both back-end and front-end content editing solutions will work.