Full On Design

Basic PHP Security

Saying “Don’t trust your users” would be a little over statement, but in the world of programming it’s the best mindset. Here are some really basic tips for programming in general (but mostly focusing on PHP).

Validate All Input

It’s very important to check all input to your script; a client could accidentally put a semi-colon in a field and possibly break your code. Always check that the user is posting what you expect. Here are some simple methods to validate input.

<?php
// Input must be a number
if(is_numeric($input)){
	echo 'Input is a number';
} else {
	echo 'Input is not a number';
}

// Input can only contain numbers and letters.
if(preg_match('/([^A-z0-9])/', $input)){
	echo 'Input does not contain only numbers and letters.';
} else {
	echo 'Input contains only numbers and letters.';
}

// Input must be an email
if(preg_match('/^([a-zA-Z0-9])+@([a-zA-Z0-9_-])+(\.[a-zA-Z0-9_-]+)+/', $input)){
	echo 'Email Is Valid.';
} else {
	echo 'Email Is Invalid.';
}
?>

Hash Passwords

Hashing passwords is mostly important from a privacy view point; if a hacker gets in they could sell your users details.

Use Sessions, not cookies

Never set sensitive data in cookies, users could edit them and potentially cause problems on your website. Instead use Sessions; they are a server side solution which is a little more secure.

<?php
session_start(); // Start the session. Always put this at the top of your html.

// Set some sessions
$_SESSION['name'] = 'Example 1';

// echo session data
echo $_SESSION['name'];
// Would return Example 1
?>

Read the rest of this entry »

Posted March 27th, 2009

Twitter in a Nutshell

Click here to play Video

Posted March 20th, 2009

Securing publicly available folders

Anyone who has ever developed a website which allows users to upload files will tell you “It’s best to think everyone is out to destroy your server”, which unfortunately is the best mindset to be in when setting up any website. One of the main methods used to by hackers to breach security on your website is to upload a file which allows them to execute code.

Here is a very quick and easy solution to stop potential hackers executing files in certain folders.

Open the .htaccess file in the folder you wish to protect and add the following code:

Options -Indexes
Options -ExecCGI
AddHandler cgi-script .php .php3 .php4 .phtml .pl .py .jsp .asp .htm .shtml .sh .cgi

This will essentially stop the folders returning an index of what is inside them and stop various files from running.

Useful Links

PHP File Upload Security
Apache Tutorial: .htaccess files
Apache, MySQL, and PHP Web Development All-in-one Desk Reference for Dummies

Posted February 23rd, 2009

Securing Links

Have you ever wanted to secure links on your website (for example hide the real source of a file)? Here is a quick and easy way to do this.

<?php # File created on 11th February 2009 by Mike Rogers (http://www.fullondesign.co.uk/). 

## Start defining constants ## 

define(RUN_ERRORS, TRUE); // Do you want the script to display errors? TRUE = yes you do.

define(redirect_or_echo, 'redirect'); // Do you want to redirect the user to another website, or just echo the other other webpages' content. 'rediect' will redirect, 'echo' will return the web pages constents. I recommend redirect.

## End defining constants ##

/* Start the link codes. The code is the ?code=123 part of the URL. The array should be fotmatted like:

$link['code'] = 'http://URL';

You may find it easier to do this with MySQL or including this as a seperate file. Too many links could lower performance, but for a small website just trying to cloak a few links this is good  

*/

$link['1'] = 'http://www.site.com/';

// Start the system.

function external_url($url){

    if($return = @file_get_contents($url)){

        return $return;

    }elseif(function_exists("curl_init")){

        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $url);

        curl_setopt($ch, CURLOPT_HEADER, 0);

        curl_setopt($ch, CURLOPT_TIMEOUT, 10);

        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); 

        $return = curl_exec($ch);

        curl_close($ch);

        return $return;

    }elseif($return = @implode("", @file($url))){

        return $return;

    } else {

        return NULL;

    }

}

// Checks if the code is a number

if(is_numeric($_GET['code']) && is_array($link)){

    if(isset($link[$_GET['code']])){

        if(redirect_or_echo === 'redirect'){

            header('location: '.$link[$_GET['code']]);

        } elseif(redirect_or_echo === 'echo'){

            echo external_url($link[$_GET['code']]);

        }else{

            if(RUN_ERRORS === TRUE){

                echo 'Sorry, an internal error has occoured.';    

            }

        }

    } else {

        if(RUN_ERRORS === TRUE){

            echo 'Sorry, the code you have provided is incorrect.';    

        }

    }

}else{

    if(RUN_ERRORS === TRUE){

        echo 'Sorry, the code you have provided is incorrect.';    

    }

}

/*

You are free to share, modify and use this code for commercial uses. Please give a link back (to http://www.fullondesign.co.uk/ ) if you can, but you don't have you.

You use this at your own risk.

*/

?>

Blocking users via .htaccess

Every website has problems with users . Here is a cool way to ban users who prove to be annoying.

Open your .htaccess file (should be above your public_html folder and you may need to show hidden files), then add the following:

order allow,deny
deny from [IP here]
allow from all

If you want to add more than one IP, just add an extra “deny from [ip here]” line. On the other hand, if you want to just let one person onto a website just use the following:

order allow,deny
allow from [IP here]
deny from all

Allowing just a few IP’s to certain areas is useful when protecting administrator sections or user areas.

Posted January 28th, 2009