Why is it important to sanitize user input?

If you’re not careful with user input your website might be open to code injection, directory traversal or similar attacks. Information supplied by users can never be assumed safe.

Examples of user input are submitted forms (e.g. comments), URL parameters (?q=example) and server-side scripts pulling in third-party data, such as an RSS feed importer.

HTML and JavaScript

To make strings safe for HTML (without breaking Unicode text) use htmlentities().

1

<?php $safe = htmlentities($unsafe, ENT_QUOTES, 'UTF-8'); ?>

This will encode all special HTML characters. This method is better than black-listing specific elements such as <script> or just opening tags (<). Do not use strip_tags(), str_replace() or regular expressions to filter HTML and JavaScript, it is easy to miss obscure vulnerabilities and leave them exploitable.

When automatically parsing a URL to display a clickable link, check if URL starts with a protocol like “http://” (regex: /[a-z]:\/\//i) and make sure javascript: links never work. Also be careful with quotes and closing angle brackets as they can break HTML.

These examples demonstrate how unfiltered links can be dangerous:

1
2
3
4
5
6
7

<?php
$url = 'javascript:alert(\'XSS\');';
$url = 'http://example.com" onclick="alert(\'XSS\');';
$url = 'example.com"><script>alert(\'XSS\');</script>';
?>
 
<a href="<?php echo $url ?>">Click here</a>

URLs

To pass values as a parameter to a URL, use rawurlencode().

1

<?php $url = 'http://example.com/?k=' . rawurlencode($v); ?>

This function is nearly identical to urlencode() but follows the RFC 1738 specification.

MySQL database queries

When storing strings in a MySQL database, use mysql_real_escape_string().

1

<?php $safe mysql_real_escape_string($unsafe); ?>

Often addslashes() is used instead but this is not enough to prevent SQL injection attacks. If you want to learn why I recommend reading this blog post by Chris Shiflett and the third chapter of the guide to PHP security by Ilia Alshanetsky (PDF, 130KB).

This function requires a MySQL connection.

Magic Quotes

If your web app suffers from unwanted backslashes appearing in content this is probably due to double escaping (e.g. “today\’s weather”). This is likely caused by PHP’s now deprecated Magic Quotes.

Magic Quotes is a feature automatically escapes user input, intended to help beginners write more secure code. Because it’s not always on or needed this affects portability and requires excessive use of stripslashes() to undo.

To recursively undo the affects of Magic Quotes use this function at the beginning of your scripts:

1
2
3
4
5
6
7
8
9
10
11
12
13

<?php
function undo_magic_quotes($v)
{
    return is_array($v) ? array_map('undo_magic_quotes', $v) : stripslashes($v);
}
 
if ( function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc() )
{
    $_GET    = array_map('undo_magic_quotes', $_GET);
    $_POST   = array_map('undo_magic_quotes', $_POST);
    $_COOKIE = array_map('undo_magic_quotes', $_COOKIE);
}
?>

Directories

And finally, be careful with including files using user input.

1
2
3
4
5
6
7

<?php
// Don't do this
require($_GET['file']);
 
// And especially not this
echo file_get_contents($_GET['file']);
?>

This is dangerous because a user can request any file from the server and execute or view the code (e.g. “?file=../../config.php”, this is called a path traversal attack). One solution is to use basename() which strips off the path of a file name.

These were just a few basics, there is a lot more to web application security. OWASP is a great resource if you want to learn more.

Do not store password as plain text

This should be obvious. If someone gains access to your database then all user accounts are compromised. And not only that, people tend to use the same password on different sites so those accounts will be compromised as well. Your site doesn’t even need to be hacked; a system administrator could easily browse your database.

Do not try to invent your own password security

Chances are that you’re no security expert. You’re better off using a solution that has been proven to work instead of coming up with something yourself.

Do not encrypt passwords

Encryption may seem like a good idea but the process is reversible. Anyone with access to your code would have no trouble transforming the passwords back to their originals. Security through obscurity is not sufficient!

Do not use MD5

Storing password hashes is a step in the right direction. Cryptographic hashing functions like MD5 are irreversible which makes it difficult to figure out the original password. To validate a hashed password, simply hash the password again when a user logs in and compare the hashes.

1
2
3
4
5

<?php
$password = 'swordfish';
 
$hash = md5($password); // Value: 15b29ffdce66e10527a65bc6d71ad94d
?>

Note that this makes it impossible to retrieve a password from the database. If a user forgets his password, simply generate a new one.

So why not MD5? It is quite easy to make a list of millions of hashed passwords (a rainbow table) and compare the hashes to find the original passwords (the same goes for other hashing functions like SHA-1).

MD5 is also prone to brute forcing (trying out all combinations with an automated script) because of collisions. This means that different passwords can have the same hash, making it even easier to find one that works.

MD5 collision demo: mscs.dal.ca/~selinger/md5collision

Do not use a single site-wide salt

A salt is a string that is hashed together with a password so that most rainbow tables (or dictionary attacks) won’t work.

1
2
3
4
5
6

<?php
$password = 'swordfish';
$salt = 'something random';
 
$hash = md5($salt . $password); // Value: db4968a3db5f6ed2f60073c747bb4fb5
?>

This is better then using just MD5 but someone with access to your code can find the salt a generate a new rainbow table.

What you should do

• Use a cryptographically strong hashing function like SHA-1 or even SHA-256 (see PHP’s hash() function).
• Use a long and random salt for each password.
• Use a slow hashing algorithm to make brute force attacks near impossible.
• Regenerate the hash every time a users logs in.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

<?php
$username = 'Admin';
$password = 'gf45_gdf#4hg';
 
// Create a 256 bit (64 characters) long random salt
// Let's add 'something random' and the username
// to the salt as well for added security
$salt = hash('sha256', uniqid(mt_rand(), true) . 'something random' . strtolower($username));
 
// Prefix the password with the salt
$hash = $salt . $password;
 
// Hash the salted password a bunch of times
for ( $i = 0; $i < 100000; $i ++ )
{
    $hash = hash('sha256', $hash);
}
 
// Prefix the hash with the salt so we can find it back later
$hash = $salt . $hash;
 
/* Value:
 * e31f453ab964ec17e1e68faacbb64f05bccceb179858b4c482c1b182ff1e440e
 * f1e10feb5b86c6d367e4eb8f90f2cde5648a7db3df8526878f20a77eed00c703
 */
 
?>

In the above example we turned a reasonably strong password into a 128 characters long hash that we can store in a database. The next time the user logs in we can validate the password as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32

<?php
$username = 'Admin';
$password = 'gf45_gdf#4hg';
 
$sql = '
    SELECT
        `hash`
    FROM `users`
        WHERE `username` = "' . mysql_real_escape_string($username) . '"
    LIMIT 1
    ;';
 
$r = mysql_fetch_assoc(mysql_query($sql));
 
// The first 64 characters of the hash is the salt
$salt = substr($r['hash'], 0, 64);
 
$hash = $salt . $password;
 
// Hash the password as we did before
for ( $i = 0; $i < 100000; $i ++ )
{
    $hash = hash('sha256', $hash);
}
 
$hash = $salt . $hash;
 
if ( $hash == $r['hash'] )
{
    // Ok!
}
?>

A few additional tips to prevent user accounts from being hacked:

• Limit the number of failed login attempts.
• Require strong passwords.
• Do not limit passwords to a certain length (remember, you’re only storing a hash so length doesn’t matter).
• Allow special characters in passwords, there is no reason not to.

That’s it, happy coding!

Feature-wise not much has changed since the Beta and Release Candidate cycles but the code has been thoroughly tested and improved where possible. If you’re planning on building a PHP website, give Swiftlet a try.

I moved the project page and documentation away from Google Code, if you go to swiftlet.org you’ll find the new page. It’s powered by a documentation system that I custom coded (dubbed Pintail). If there is any interest I will release the code behind it as Open-Source as well.

One of the most important recently added features is the plug-in installer. It checks for compatibility with the core code and creates and populates database tables with a click of the mouse. Plug-ins that don’t require a database connection don’t need to be installed; they’re plug-and-play (and Swiftlet runs fine without a database).

I also added plug-ins to handle user sessions and authorization. This should make it easy to create a website that requires a login system.

Download: code.google.com/p/swiftlet/downloads/list

It’s targeted at developers who want to built simple websites that don’t require large and complex frameworks, but do want a solid base to work from. Swiftlet provides basic security features such as user input sanitizing, is highly extensible thanks to the deeply integrated hook system, completely Object Oriented and separates logic from design (MVC).

Even the most basic features such as connecting to a database and output buffering are implemented as plug-ins. This means they can be modified, extended and removed without hacking into the core code.

Website: http://swiftlet.org

If you ever want to combine frameworks you may discover that they use similar names for some variables and functions. This can lead to unexpected output and security holes. If you’re planning on writing a framework of your own, consider wrapping it in an object.

In PHP5 it’s possible to pass objects by reference which means you can send an instance of a class to another class. This way you can nest classes and access the parent.

core.php:

class core
{
    public
        $var = 'This is a global variable.';
 
    const
        CONST_VAR = 'This is a constant.';
 
    // This function is executed when core is initialized.
    function __construct()
    {
        include('classes/foo.php');
 
        $this->foo = new foo($this);
    }
 
    // All the main functions go here.
}

foo.php:

class foo
{
    private $core;
 
    function __construct($core)
    {
        // Reference to the core object.
        $this->core = $core;
    }
 
    function hello_world()
    {
        echo $this->core->var;
    }
}

In this example “core” is the site’s main object containing global variables and functions. When we create an instance of class “foo”, we send a reference to the core object (“$this”) as a parameter. On a regular page the classes, variables and function can be accessed like this:

page.php

include('classes/core.php');
 
$core = new core();
 
echo $core->var; // output: This is a global variable.
echo core::CONST_VAR; // output: This is a constant.
 
$core->foo->hello_world(); // output: This is a global variable.

This way there is only one variable in the global scope: $core. Another advantage is that all variables declared in core are global and accessible throughout the whole program.

1. Drop braces

Braces aren’t required in control structures with only one expression. Sometimes it makes sense to drop them. It’s very easy to make mistakes if you ever add code to the structure, I recommend only to do this when the expression is short and fits on a single line.

Long:

1
2
3
4
5
6
7
8

if ( $module == TRUE )
{
    load($module);
}
else
{
    error('No module');
}

Short:

1
2

if ( $module ) load($module);
else           error('No module');

2. Use ternary operators

The above example can be made even more compact using ternary operators:

$module ? load($module) : error('No module');

3. Use “OR” instead of “IF”

“OR” is the same as “or” and ”||”.

Long:

1
2
3
4
5
6
7
8

if ( $foo )
{
   echo $foo;
}
else
{
   echo $bar;
}

Short:

1

echo $foo || $bar;

4. Don’t compare variables to booleans

“if ( $foo == TRUE )” is the same as “if ( $foo )”. This shortcut can make your life as a programmer much easier:

Long:

1
2
3
4
5
6
7
8
9
10
11

function has_value($var)
{
    if ( $var == TRUE )
    {
        return TRUE;
    }
    else
    {
        return FALSE;
    }
}

Short:

1
2
3
4

function has_value($var)
{
    return ( bool ) $var;
}

5. Use default values for variables

It’s usually a good idea to define important variables at the beginning of your script, instead of inside control structures (this could result in undefined variables later on). Another advantage is that you can often save an entire else-block as demonstrated in this example:

Long:

1
2
3
4
5
6
7
8

if ( $foo > 3 )
{
    $message = '$foo is greater then 3.';
}
else
{
    $message = '$foo is lower than or equal to 3.';
}

Short:

1
2
3
4
5
6

$message = '$foo is lower than or equal to 3.';
 
if ( $foo > 3 )
{
    $message = '$foo is greater then 3.';
}

6. Assign variables inside conditions

Long:

1
2
3
4
5
6

$contents = file_get_contents($file);
 
if ( $contents )
{
    echo $contents;
}

Short:

1
2
3
4

if ( $contents = file_get_contents($file) )
{
    echo $contents;
}

7. Group variable declarations

Instead of prefixing every single variable declaration in a class with “public”, “protected” or “private” keywords, group them:

Long:

1
2
3
4
5

class db
{
    public $query;
    public $result;
    public $tables;

Short:

1
2
3
4
5
6
7

class db
{
    public
        $query,
        $result,
        $tables
        ;

Something similar can be done with regular variable declarations if they need to assign them the same value:

Long:

1
2
3

$foo    = TRUE;
$bar    = TRUE;
$foobar = TRUE;

Short:

1
2
3

$foo    =
$bar    =
$foobar = TRUE;

8. Merge arrays instead of assigning individual keys

Long:

1
2
3
4
5

$items = array('item 1', 'item 2');
 
$items[] = 'item 3';
$items[] = 'item 4';
$items[] = 'item 5';

Short:

1
2
3
4
5
6
7

$items = array('item 1', 'item 2');
 
$items = array_merge($items, array(
    'item 3',
    'item 4',
    'item 5'
    ));

Even shorter:

1
2
3
4
5
6
7

$items = array('item 1', 'item 2');
 
$items += array(
    'item 3',
    'item 4',
    'item 5'
    );

That’s it! Please share this post if you found it useful.