So you're nearing the end of a project release schedule and decide to contract out the security services of a website auditing company specialising. You might call it release engineering, or project finalisation...
However, a lot of people don't quite realize that these services are not there to fix your bugs, prevent you writing bad security hole ridden code or to stop you doing anything silly in future to stop these bugs from cropping up again.
The vast majority of security consultants out there will be able to provide tips on how you could generally improve code security, along with pointing out and documenting the flaws found. It's upto you as a developer to analyse how you happened to write insecure code and put in place procedures to stop this from happening in future.
... if you don't, prepare to keep releasing vulnerable software or to pay never ending consultancy fees.
escape_string isn't enough!
Ever had an application with concatenated SQL strings all over the place including user data here & there?
$sql = "INSERT INTO example VALUES ('$safe_var','".mysql_real_escape_string($unsafe_var)."','$possibly_unsafe')";
All it takes is one slip up, presuming that a variable is going to be safe and not escaping it. "Magic Quotes" was created simply for this problem, but it creates endless problems meaning you now have the reverse situation - cleaning additional quotes from the majority of normal variables instead of the minority of variables which could be used maliciously.
From the get go you should be using prepared statements, and with the mysqli or PDO extensions which support this natively there's no excuse.
If prepared statements of any sort aren't available on your server, shame the administrator into enabling the extensions. Alternatively you can write your own fairly trivially and many third party libraries like ADOdb support them.
XSS and Output Filtering
Yes, output filtering can be so pesky at times, but how do you introduce a standard way of preventing this?
The most common way is to define echo_safe or echo_unsafe to output the data with or without web un-safe characters being escaped.
You could also take the hardline approach and rename the echo/print/etc. functions using APD and force yourself to use the wrappers.
Leave a Reply