Trust No One, Hide Your Booty
Posted on February 21st, 2008 | by dade |For safe guarding your applications here are two simple preventive measures that you can follow:
Hide sensitive data.
Make sure that files that contain sensitive data e.g. database details, password files etc are not easily retrieved by just anybody which is the case when you place them in exposed or public directories. For example if the web server is apache, make sure that such files are not placed in the public html directory which is the path that the documentroot is set to, instead utilize another directory and use the include() function to bring them in when needed.
Another method for hiding sensitive data from unwanted retrieval is to deny access to certain file extensions. This is accomplished on apache by configuring the FILES directory in the http.conf file.
Assume that you don’t want anyone to access files having the extension .inc. Place the following in your httpd.conf file:
<Files *.inc>
Order allow,deny
Deny from all
</Files>
This will deny access denied to any user making a request to view a file with the extension .inc via the browser.
Filter Input
As a rule of thumb, you should never trust the integrity of any input coming from outside your application so make sure necessary security checks are performed on any user generated input. Overlooking input sanitization might make you vulnerable to some common attacks which include sqlinjection, cross site scripting, file deletion amongst many others. Using PHP, here are some of the functions that can be employed in filtering data:
escapeshellarg()
This adds single quotes around a string and quotes/escapes any existing single quotes allowing you to pass a string directly to a shell function and having it be treated as a single safe argument. The effect is such that when arguments are passed to a shell command, it will be considered a single argument. This is significant because it lessens the possibility that an attacker could masquerade additional commands as shell command arguments.
escapeshellcmd()
From the PHP Manual, escapeshellcmd() escapes any characters in a string that might be used to trick a shell command into executing arbitrary commands. This function should be used to make sure that any data coming from user input is escaped before this data is passed to the exec() or system() functions.
htmlentities()
This function is particularly useful for preventing XSS (Cross site scripting). The htmlentities() function converts certain characters that have special meaning in an HTML context to strings that a browser can render as provided rather than execute them as HTML.
Strip_tags()
In some instances you might find yourself wanting to get rid of anything HTML in a user input. In this scenario, you will find the function strip_tags() useful. The function strip_tags() removes all HTML tags from a string.
Mysql_real_escape_string()
This comes in handy in preventing against sqlinjection attacks. It is used in making data safe before sending a query to a Mysql database. A rule worth adhering to is to never query the mysql database without first passing it through the mysql_real_escape_string() function.
