General Security Considerations

[jackaroo]

I am looking for a document that will provide a sort of checklist addressing the areas of security that need to be considered in operating a db- based web application.

 

Thanks,

Jack

[SteveW]

I don't know of a concise checklist, but can provide two key phrases for web searches: "sql injection" and "remote file inclusion".

 

SQL injection is specific to db applications. When you receive any input from a user, it's important to prevent them from embedding SQL statements in their input that subsequently get passed into your code, causing malicious data to be added into the database or secret data to be divulged from it. Prevention consists of careful coding practices in your code that receives and processes the user input.

 

Remote file inclusion (RFI) results when a) the server is configured so that a command such as a PHP include() is permitted to fetch the include file from a site other than the local one (i.e. the include file is in URL form with http: or ftp: in front of it), and b ) a malicious user or robot provides input containing a malicious URL, and c) the input-processing code accepts the user input as-is, fetches the malicious remote file, includes it into the currently executing script, allowing it to do its damage. Prevention consists of a server configuration that prohibits inclusion of non-local files, processing code (or .htaccess) that rejects malicious requests, and processing code that filters incoming data, only performing the include when the data matches expected permissible values.

 

Web searches on those will likely lead you to any lower priority things to be concerned about.

 

Another is called "cross-site scripting", but that isn't specific to a db-application or to PHP.

Edited November 5, 2009 by SteveW