Recently I taught a class of bright-eyed, bushy-tailed PHP’ers just getting their start in the world. They haven’t done their first production application and we were working in the “safe” confines of a classroom, but there was one concept that I pounded into their heads:
Don’t Trust the Users
It may sound harsh but:
It’s not that they’re malicious, though they might be…
It’s not that they’re incompetent, though they might be…
It’s not that they’re ignorant, though they might be…
In fact, there’s absolutely nothing “wrong” with 99.9% of your users… or maybe even 99.999% of your users. But all it takes is one user with any of the above qualities combined with a poorly designed application and you’re going to have a bad day. For lack of being able to say it better, I defer to Chris Shiflett and use his phrase (with credit of course):
That’s it. If you stick to these two principles and apply them consistently and rigorously, you’ll protect yourself from the vast majority – but not all* – vulnerabilities. But there are two tips to remember:
Be sure to identify what is provided by the user and what is not. Most people know of form entries and anything on the url, but many people forget that PHP_SELF is not safe.
On the other side, be sure you understand what “output” means. Everyone thinks of the webpage first and some stop there. Odds are you have a variety of other output sources such as email, reporting tools (even pdf), logging tools, and even various Web Services or APIs. Output is more than what gets displayed to a user.
* Unfortunately, the only way to make a site truly and 100% secure is to remove anything remotely interactive – forums, blogs, email forms, comments, logins, ecommerce, etc, etc – which makes for a pretty boring site.