I have never written an ap using $_SESSION variables before, so I need some advice regarding security.<br /><br />I'm in the middle of writing a new ap for one of my sites that involves several functions to generate data. As it stands now, it looks like the best way to pass variables generated by one function to another might be to use session variables. In this ap, there is no user/password information and no sensitive data. The data being passed is simply used to control the flow of the logic, and to pass the result of db queries and calculations from one function to the next.<br /><br />If I use session variables, what security measures should I implement for session variables? Should I filter/whitelist the session variables in the same manner that I would filter/whitelist post and get variables? <br /><br />Thanks,<br />Bob<br /><br /><!--content-->
I've never used session variables but I'm sure someone will chime in with an answer.<!--content-->
It's always best to sanitise anything which can affect (especially) mysql queries... What you could do is create a table with randomly generated unique hash's for each users IP address<br /><br />So when someone first goes on your site, they get a unique hash assigned to their IP, stored in the DB....<br /><br />then load this and their IP into the $_SESSION variable and check that those match the DB prior to executing anything based on the session variables, because it is possible to spoof session values...<br /><br />plus checking values to make sure they are as expected... like intval( ) around anything that should only be an integer or mysql_real_escape_string() around anything that is a string<br /><br />these sorts of things will secure it up a little more<!--content-->
OJB -- thanks for the response.<br /><br />In some of the security info that I had read today about session variables, I had seen the recommendation to store session info, including a hashed user ip in a db table. Since in this application the only queries executed are select, I figured that there is little threat of spoofing and sql injection, and that just filtering the input would suffice. However, I think that I will try implementing the ip hash and verification method also, since it seems like a good security practice to learn and use, especially on a shared server.<br /><br />Thanks again for the advice.<br /><!--content-->
<!--quoteo(post=222703:date=Mar 27 2008, 08:38 PM:name=Bob Crabb)--><div class='quotetop'>QUOTE (Bob Crabb @ Mar 27 2008, 08:38 PM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=222703"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->Since in this application the only queries executed are select, I figured that there is little threat of spoofing and sql injection,<!--QuoteEnd--></div><!--QuoteEEnd--><br />I had to register just to post this. If you have a textbox in a form that interacts with your database in any way, you must sanitize your inputs.<br /><br /><!--sizeo:3--><span style="font-size:12pt;line-height:100%"><!--/sizeo-->This includes select statements<!--sizec--></span><!--/sizec--><br /><br />EG, you have a simple search form that generates this query<br /><b><br />select * from items where search_term='findme';</b><br /><br />findme was entered into the search box.<br /><br />How about I enter this into the search box<br /><br /><b>findme';drop table items;</b><br /><br />the query now becomes<br /><b><br />select * from items where search_term='findme';drop table items;</b><br /><br />Bye bye table items and all asociated data. <br /><br />sanitize your inputs. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="
" border="0" alt="smile.gif" /><!--content-->
Welcome to the forums binboing <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><br /><br />Thanks for the info.<!--content-->
Welcome to the forum, binboing. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><!--content-->
binboing, Thanks for the advice. I do make a practice of sanitizing any user inputs. <br /><br />In that particular case, what I meant to say in the post, but probably posted in a hurry, was that the only database user defined in that application has only select priveleges since that is the only query that the application executes -- hence my perception of there being less of a threat.<!--content-->
<!--quoteo(post=224917:date=May 12 2008, 03:41 PM:name=Bob Crabb)--><div class='quotetop'>QUOTE (Bob Crabb @ May 12 2008, 03:41 PM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=224917"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->binboing, Thanks for the advice. I do make a practice of sanitizing any user inputs. <br /><br />In that particular case, what I meant to say in the post, but probably posted in a hurry, was that the only database user defined in that application has only select priveleges since that is the only query that the application executes -- hence my perception of there being less of a threat.<!--QuoteEnd--></div><!--QuoteEEnd--><br /><br />Ah gotcha. Well I hope it helps someone <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="" border="0" alt="smile.gif" /><!--content-->
I've never used session variables but I'm sure someone will chime in with an answer.<!--content-->
It's always best to sanitise anything which can affect (especially) mysql queries... What you could do is create a table with randomly generated unique hash's for each users IP address<br /><br />So when someone first goes on your site, they get a unique hash assigned to their IP, stored in the DB....<br /><br />then load this and their IP into the $_SESSION variable and check that those match the DB prior to executing anything based on the session variables, because it is possible to spoof session values...<br /><br />plus checking values to make sure they are as expected... like intval( ) around anything that should only be an integer or mysql_real_escape_string() around anything that is a string<br /><br />these sorts of things will secure it up a little more<!--content-->
OJB -- thanks for the response.<br /><br />In some of the security info that I had read today about session variables, I had seen the recommendation to store session info, including a hashed user ip in a db table. Since in this application the only queries executed are select, I figured that there is little threat of spoofing and sql injection, and that just filtering the input would suffice. However, I think that I will try implementing the ip hash and verification method also, since it seems like a good security practice to learn and use, especially on a shared server.<br /><br />Thanks again for the advice.<br /><!--content-->
<!--quoteo(post=222703:date=Mar 27 2008, 08:38 PM:name=Bob Crabb)--><div class='quotetop'>QUOTE (Bob Crabb @ Mar 27 2008, 08:38 PM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=222703"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->Since in this application the only queries executed are select, I figured that there is little threat of spoofing and sql injection,<!--QuoteEnd--></div><!--QuoteEEnd--><br />I had to register just to post this. If you have a textbox in a form that interacts with your database in any way, you must sanitize your inputs.<br /><br /><!--sizeo:3--><span style="font-size:12pt;line-height:100%"><!--/sizeo-->This includes select statements<!--sizec--></span><!--/sizec--><br /><br />EG, you have a simple search form that generates this query<br /><b><br />select * from items where search_term='findme';</b><br /><br />findme was entered into the search box.<br /><br />How about I enter this into the search box<br /><br /><b>findme';drop table items;</b><br /><br />the query now becomes<br /><b><br />select * from items where search_term='findme';drop table items;</b><br /><br />Bye bye table items and all asociated data. <br /><br />sanitize your inputs. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="
" border="0" alt="smile.gif" /><!--content-->Welcome to the forums binboing <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="
" border="0" alt="smile.gif" /><br /><br />Thanks for the info.<!--content-->Welcome to the forum, binboing. <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="
" border="0" alt="smile.gif" /><!--content-->binboing, Thanks for the advice. I do make a practice of sanitizing any user inputs. <br /><br />In that particular case, what I meant to say in the post, but probably posted in a hurry, was that the only database user defined in that application has only select priveleges since that is the only query that the application executes -- hence my perception of there being less of a threat.<!--content-->
<!--quoteo(post=224917:date=May 12 2008, 03:41 PM:name=Bob Crabb)--><div class='quotetop'>QUOTE (Bob Crabb @ May 12 2008, 03:41 PM) <a href="http://www.totalchoicehosting.com/forums/index.php?act=findpost&pid=224917"><img src='http://www.totalchoicehosting.com/forums/style_images/1/post_snapback.gif' alt='*' border='0' /></a></div><div class='quotemain'><!--quotec-->binboing, Thanks for the advice. I do make a practice of sanitizing any user inputs. <br /><br />In that particular case, what I meant to say in the post, but probably posted in a hurry, was that the only database user defined in that application has only select priveleges since that is the only query that the application executes -- hence my perception of there being less of a threat.<!--QuoteEnd--></div><!--QuoteEEnd--><br /><br />Ah gotcha. Well I hope it helps someone <img src="http://www.totalchoicehosting.com/forums/style_emoticons/default/smile.gif" style="vertical-align:middle" emoid="
" border="0" alt="smile.gif" /><!--content-->