Codingmentor Developer's Forum / Server side development / PHP / Top 4 PHP Mistakes by programmers

Post Reply  Post Thread 
Top 4 PHP Mistakes by programmers
Author Message
admin
~CM~
*******


Posts: 147
Group: Administrators
Joined: Jul 2007
Status: Offline
Reputation: 0
Thank 0
1 was given thank in 1 posts
Post: #1
Top 4 PHP Mistakes by programmers

Here is a list of some of the most common mistakes PHP developers make :

1. Not Escaping Entities
ALL untrusted input (especially user input from forms) must be sanitized before it being displayed.

PHP Code:
echo $_GET[’username’]; 


Can for instance output:

script> /*snooping cookie or changing admin password script*// script/>

It is an apparent security risk not to sanitize untrusted data before output. Besides you might end up with pages looking very messy if you do not thread user input the right way.

How to fix it:
Basically you need to convert < , >, ‘ and ” to their proper entities (< , > ‘ , and “) . The functions htmlspecialchars() and htmlentities() do the work.

So here is the right way:

PHP Code:
echo htmlspecialchars($_GET[’username’], ENT_QUOTES); 


Uncountable scripts carries this problem on the internet.

2. Not Escaping SQL input

When querying your database always make sure untrusted data gets escaped else your application will be vulnerable to SQL-injections and unreliable. Some coders think that they have covered this problem by having magic_quotes on in their php.ini. The problem is that untrusted input can come from other sources than $_GET, $_POST and $_COOKIE (crawling other websites or using input from the database). And what happens if magic_quotes suddenly is set to OFF?

How to fix it:

I recommend setting magic_quotes to off in php.ini or by using .htaccess and then using mysql_real_escape_string() on all variables used in SQL-expressions.

PHP Code:
$sql “UPDATE users SET 
name=.mysql_real_escape_string($name).’ 
WHERE id=.mysql_real_escape_string ($id).’”
mysql_query($sql); 


3. No or little use of Object Orientation
Too many systems I have seen and been working with have this problem. They simply do not have any object orientation. Yes object and classes for a beginner are abstract but if for instance you build a shop system and you are not being object orientated, then the source code will become unmaintainable with time and size. PHP has been supporting basic object orientation since PHP4 and since PHP5 a lot more and a lot better, so we must be using it.

4. Double escaping quotes
Have you ever seen a web page display a text with \’ or \” , it usually happens when a script is made for magic_quotes off (php.ini) and is deployed on a site with magic_quotes on. First PHP runs addslashes() on all GET, POST and COOKIE data then afterwards one more time when the data is being stored.

Original text:
It’s a string

After magic quotes on script start:
It\’s a string
It\\’s a string

HTML output:
It\’s a string

Another scenario that makes this occur is when a user tries to sign up and inputs invalid data, the user then get presented to the same form, this time with the input escaped, the second time the user posts with the valid data the input is escaped another time.

Thanks & Regards
------------------
~CM~

ADD TO DEL.ICIO.US  ADD TO DIGG  ADD TO FURL  ADD TO NEWSVINE  ADD TO NETSCAPE 
ADD TO TECHNORATI FAVORITES  Technorati ADD TO SQUIDOO  ADD TO WINDOWS LIVE  ADD TO YAHOO MYWEB  ADD TO ASK 
ADD TO REDDIT  ADD TO STUMBLEUPON  ADD TO GOOGLE   

07-15-2007 03:27 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply  Post Thread 

View a Printable Version
Send this Thread to a Friend
Subscribe to this Thread | Add Thread to Favorites
Forum Jump:


Contact Us | Codingmentor | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication| Privacy Policy