AvengeX Webmaster Development - Free PHP, MySQL, CSS, XHTML, Photoshop Tutorials

I use a data handling class and undergo a standard procedure every time I take form data out and use it in a database. It takes care of security, empty fields and error checking, and it also lets you load everything into a separate array, so it sort of helps coding as well. For example, what would you rather?

$_POST['fieldname'];
# or #
$f['fieldname'];
Of course, you're going to have to run a few things like:
$f = $data->sanitize($_POST); // [bool recursive, bool error checking]]
$errors = $data->checkSanitizeEmptyKeys($f); // an extra array param can be used for exceptions

if($errors == '') {
// successful form data
}
else {
echo $errors;
}


But it beats manual stuff.

As for file uploads, I've only dealt with image and MP3 uploads before, and the latter isn't even considered a security threat (iirc)

It helps to know how people can exploit each format before trying to address these issues. I do a series of checks - for example, checking the extension of the file against the mime type. If there's a conflict, there might be a problem.

Also, running an image function like getimagesize() on an uploaded file to test if it really is an image is another check. Something like:

list($x, $y) = getimagesize($imagefile);
if(!is_integer($x)) {
$errors[] = 'This doesn't appear to be an image.';
}

You could also be really hardcore and just convert or rewrite the data with GD in PHP. Doing this will remove any comments inside the GIF or JPEG files, perhaps by converting them to PNG. Another advantage of this is the lower filesize, even if there's a small tradeoff between CPU time and disk space..

Anyway, if I had the money, I'd definitely hire a whitehat hacker. I'd never hire grey/blackhats, like Microsoft do.

The key to security is to know the vulnerabilities. It is also a good idea to keep an eye on http://www.securityfocus.com bugtraq for any vulnerabilities that are likely to effect you or the server the script would be running on.

It's paramount to never trust user input, and to handle it according to datatype, so if you want an integer, force it to be an integer, by checking if the datatype is an integer, or by type-casting it.

One lesser known vulnerability that effects uploads are multiple extensions. If the mime type is not supported (in apache at least) then it falls back to the secondary extension. For example 'foo.php.rar' would parse as PHP when uploaded, so you need to watch out for that. Not sure I can see the point in verifying the MIME type against the extension as MIME types are extremely easy to spoof so it really offers no protection.

I'm always aware of security for every line of code I write, so that's the only way I need protect myself. If you're writing insecure code, it mainly comes down to incompetence.

or say 'sp.php.jpg'...

No, because '.jpg' has a recognized mime type for most webservers (image/jpeg), so it would end up being an erroneous image rather than parsing php, unless the web server was explicitly told to handle .jpg in this way.

In which case if you still wanted to do it, you'd have to figure out an odd extension like:

sp.php.pp2

Wow, this Security Focus (http://www.securityfocus.com) website certainly does look useful.

/me bookmarks

Thanks Ed.

an attempt was made to hack www.imageho.st with a valid image-script combination called sp.php.jpg

it was rendered in the php engine (well not for imageho.st because i was running some tricksy php <3). it also ran on alec's and tubby's (hehe tubgirl). however, the html was only displayed in firefox, not ie which showed the image it was contained in.

ahaha, youre consided a living legend between me and tubby for that

yes that was quite a giggle.