Secure Coding
 

Afternoon All :)

Any of you code monkeys out there got any recommendations for good books on secure coding? Anything that covers general principles would be good (regardless of the language it covers), I'd also be particularly interested in anything that covers PHP specifically :)

Ta muchly :tu:

Re: Secure Coding
 

You mean secure as in locking down any potential vulnerabilities?

Re: Secure Coding
 

Yeah, I guess so.

Basically I'm looking for some texts which go through the issues that cause the vulnerabilities from a coding point of view and then explain how to avoid/mitigate them. I understand the issues well enough, I'm just not a programmer/code so my knowledge of the actual programmatic constructs required to mitigate the issues is fairly limited.

Take something like SQL Injection or XSS in web applications for example - I know what causes them, I know how to exploit them, but what I don't know is how to actually cure them from a coding point of view. It would be nice to be able to see examples of poor code alongside some best practice code so that I can see that actual differences.

Re: Secure Coding
 

A good book should cover how to write secure code. You want one for the web rather than the desktop so I won't recommend the only book I know as this covers how to code securely for the desktop.

Tips:

SQL Injection

Use parametrised queries to get around SQL injection. Do not use anything which strips SQL characters (such as apostrophes) out of a string. Not only is this not a complete work around but it means my name (O'Neill) is marked as invalid which makes me angry. This basically means you write a complete SQL statement which tokens in place of parameters:

Where @firstName and @lastName are the parameters.

You then assign the user given values to the parameters in whichever construct is provided for the task (I only know how to do it in .Net).

This will mean that whatever the user puts as their first name it will go into the database as entered. If you did a string concatenation then it would have executed any SQL they put in, this way it will copy it.

XSS Attacks

You'll need to research more on this but can I suggest to ensure all dynamic content on your system, especially any of which has come from a user, is HTML encoded. This will convert any HTML characters into entities used to represent those characters (so & becomes & ) these are rendered fine in the browser but are not read as HTML thus preventing any user provided code from executing on your site

CSRF Attacks

Don't know much about this. So I'll get someone else to talk about it: http://www.codinghorror.com/blog/200...s-and-you.html

Re: Secure Coding
 

I don't necessarily just want one for the web, if you have desktop recommendations I'd be interested in those as well.

Re: Secure Coding
 

I don't know anything specific to PHP, but in general, like Damien says with the parameterised queries are a must, and always validate user input.

Re: Secure Coding
 

http://www.amazon.co.uk/Writing-Secu...9525483&sr=8-1

Large and it might be overkill....

Re: Secure Coding
 

Parameterised queries are unique to ASP.NET.

ASP.NET has a lot of built-in protection (it even prevents HMTL/script tags from being entered as a parameter by default) but PHP has none. You have to do it yourself.

I don't know any specific books but can give you guidelines. Really its just the usual security practices.

Re: Secure Coding
 

Don't think they are. Admittedly .Net has the best support for it I have yet seen. They are usually handled via database abstraction layers depending on the database outside of a .Net stack. I think PHP has had it since PHP 5. Although you seem to need a newer version of mySQL. Worth it though. Parametrised Queries rock.

http://www.php.net/manual/en/mysqli-stmt.bind-param.php

Yup. More Microsoft awesomeness :D Although MVC takes a lot of this away as it's a far less abstracted framework so it's not always the case.

Re: Secure Coding
 

Admittedly I don't use MySQLi extensions but it doesn't actually say in that doc that it santises input like ASP.NET. So it might just be a glorifed String.Format function.

Speaking of data abstraction ZendFramework does santise input via factory queries but it shouldn't be assumed they all do.

Re: Secure Coding
 

Good Point.

What do you mean by sanitise? If it's removing invalid characters then it's hardly ideal either. Parametrised queries mechanisms shouldn't be tampering with the string, they should simply be telling the database that this is the query and these are the values for that query.

Either way. Removing invalid characters is a nasty workaround.

Re: Secure Coding
 

Sanitising input can mean almost anything but usually it means escaping characters. This means it converts ' to \' so the query remains safe to be executed by MySQL

Its de-escaped (either automatically or manually, I can't remember now its been a while) when its retrieved back onto the page.

Re: Secure Coding
 

Thought you meant that. Surely some of the bigger layers support actual parametrisation?

Re: Secure Coding
 

Not quite. PHP frameworks contain query factory classes that look like ASP.NET parameterisation but it all it does is build the query and then sanitise the input for you.

For example, using a generic query factory class:

$myQuery = $framework->query( "INSERT INTO table ('Name') VALUES(@Name);")
$myQuery->addWithValue("@Name", "punky");
$myQuery->execute();

That looks like ASP.NET but really all it does is it santises "punky" and then does a regexp replace to put it in so it becomes:

"INSERT INTO table ('Name') VALUES('punky');"

And then gets executed. That's all ASP.NET parameterisation does really (except in ASP.NET you can specify types which will throw exceptions if you try and tamper with it) but in that case you are trusting Microsoft to handle it.

Anyway, Raistlin asked about base PHP.

Re: Secure Coding
 

In .Net the parametrization is a concept supported at the database level, i.e the database itself knows what a parameter is. So that a query is passed down along with the parameters and the database will then execute the query, and draw on those parameters to put into the database but the .Net framework doesn't escape the characters and send the database a safe string.

This also allows MS SQL to draw and cache database execution plans because the parametrised query will always been the same string with only the params changing.

Anyway yes, off-topic :erm: