Secure Coding

[Raistlin]

Afternoon All

Any of you code monkeys out there got any recommendations for good books on secure coding? Anything that covers general principles would be good (regardless of the language it covers), I'd also be particularly interested in anything that covers PHP specifically

Ta muchly

[Graham M]

You mean secure as in locking down any potential vulnerabilities?

[Raistlin]

Yeah, I guess so.

Basically I'm looking for some texts which go through the issues that cause the vulnerabilities from a coding point of view and then explain how to avoid/mitigate them. I understand the issues well enough, I'm just not a programmer/code so my knowledge of the actual programmatic constructs required to mitigate the issues is fairly limited.

Take something like SQL Injection or XSS in web applications for example - I know what causes them, I know how to exploit them, but what I don't know is how to actually cure them from a coding point of view. It would be nice to be able to see examples of poor code alongside some best practice code so that I can see that actual differences.

A good book should cover how to write secure code. You want one for the web rather than the desktop so I won't recommend the only book I know as this covers how to code securely for the desktop.

Tips:

SQL Injection

Use parametrised queries to get around SQL injection. Do not use anything which strips SQL characters (such as apostrophes) out of a string. Not only is this not a complete work around but it means my name (O'Neill) is marked as invalid which makes me angry. This basically means you write a complete SQL statement which tokens in place of parameters:

Code:

INSERT INTO Customers (Name,LastName) VALUES (@firstName,@lastName)

Where @firstName and @lastName are the parameters.

You then assign the user given values to the parameters in whichever construct is provided for the task (I only know how to do it in .Net).

This will mean that whatever the user puts as their first name it will go into the database as entered. If you did a string concatenation then it would have executed any SQL they put in, this way it will copy it.

XSS Attacks

You'll need to research more on this but can I suggest to ensure all dynamic content on your system, especially any of which has come from a user, is HTML encoded. This will convert any HTML characters into entities used to represent those characters (so & becomes & ) these are rendered fine in the browser but are not read as HTML thus preventing any user provided code from executing on your site

CSRF Attacks

Don't know much about this. So I'll get someone else to talk about it: http://www.codinghorror.com/blog/200...s-and-you.html

[Raistlin]

I don't necessarily just want one for the web, if you have desktop recommendations I'd be interested in those as well.

[AntiSilence]

I don't know anything specific to PHP, but in general, like Damien says with the parameterised queries are a must, and always validate user input.

Quote:

Originally Posted by Raistlin

I don't necessarily just want one for the web, if you have desktop recommendations I'd be interested in those as well.

http://www.amazon.co.uk/Writing-Secu...9525483&sr=8-1

Large and it might be overkill....

[punky]

Parameterised queries are unique to ASP.NET.

ASP.NET has a lot of built-in protection (it even prevents HMTL/script tags from being entered as a parameter by default) but PHP has none. You have to do it yourself.

I don't know any specific books but can give you guidelines. Really its just the usual security practices.

Quote:

Originally Posted by punky

Parameterised queries are unique to ASP.NET.

Don't think they are. Admittedly .Net has the best support for it I have yet seen. They are usually handled via database abstraction layers depending on the database outside of a .Net stack. I think PHP has had it since PHP 5. Although you seem to need a newer version of mySQL. Worth it though. Parametrised Queries rock.

http://www.php.net/manual/en/mysqli-stmt.bind-param.php

Quote:

ASP.NET has a lot of built-in protection (it even prevents HMTL/script tags from being entered as a parameter by default) but PHP has none. You have to do it yourself.

Yup. More Microsoft awesomeness Although MVC takes a lot of this away as it's a far less abstracted framework so it's not always the case.

[punky]

Quote:

Originally Posted by Damien

Don't think they are. Admittedly .Net has the best support for it I have yet seen. They are usually handled via database abstraction layers depending on the database outside of a .Net stack. I think PHP has had it since PHP 5. Although you seem to need a newer version of mySQL. Worth it though. Parametrised Queries rock.

http://www.php.net/manual/en/mysqli-stmt.bind-param.php

Admittedly I don't use MySQLi extensions but it doesn't actually say in that doc that it santises input like ASP.NET. So it might just be a glorifed String.Format function.

Speaking of data abstraction ZendFramework does santise input via factory queries but it shouldn't be assumed they all do.

Quote:

Originally Posted by punky

Admittedly I don't use MySQLi extensions but it doesn't actually say in that doc that it santises input like ASP.NET. So it might just be a glorifed String.Format function.

Good Point.

Quote:

Speaking of data abstraction ZendFramework does santise input via factory queries but it shouldn't be assumed they all do.

What do you mean by sanitise? If it's removing invalid characters then it's hardly ideal either. Parametrised queries mechanisms shouldn't be tampering with the string, they should simply be telling the database that this is the query and these are the values for that query.

Either way. Removing invalid characters is a nasty workaround.

[punky]

Sanitising input can mean almost anything but usually it means escaping characters. This means it converts ' to \' so the query remains safe to be executed by MySQL

Its de-escaped (either automatically or manually, I can't remember now its been a while) when its retrieved back onto the page.

Quote:

Originally Posted by punky

Sanitising input can mean almost anything but usually it means escaping characters. This means it converts ' to \' so the query remains safe to be executed by MySQL

Its de-escaped (either automatically or manually, I can't remember now its been a while) when its retrieved back onto the page.

Thought you meant that. Surely some of the bigger layers support actual parametrisation?

[punky]

Quote:

Originally Posted by Damien

Thought you meant that. Surely some of the bigger layers support actual parametrisation?

Not quite. PHP frameworks contain query factory classes that look like ASP.NET parameterisation but it all it does is build the query and then sanitise the input for you.

For example, using a generic query factory class:

$myQuery = $framework->query( "INSERT INTO table ('Name') VALUES(@Name);")
$myQuery->addWithValue("@Name", "punky");
$myQuery->execute();

That looks like ASP.NET but really all it does is it santises "punky" and then does a regexp replace to put it in so it becomes:

"INSERT INTO table ('Name') VALUES('punky');"

And then gets executed. That's all ASP.NET parameterisation does really (except in ASP.NET you can specify types which will throw exceptions if you try and tamper with it) but in that case you are trusting Microsoft to handle it.

Anyway, Raistlin asked about base PHP.

Quote:

Originally Posted by punky

And then gets executed. That's all ASP.NET parameterisation does really (except in ASP.NET you can specify types which will throw exceptions if you try and tamper with it) but in that case you are trusting Microsoft to handle it.

Anyway, Raistlin asked about base PHP.

In .Net the parametrization is a concept supported at the database level, i.e the database itself knows what a parameter is. So that a query is passed down along with the parameters and the database will then execute the query, and draw on those parameters to put into the database but the .Net framework doesn't escape the characters and send the database a safe string.

This also allows MS SQL to draw and cache database execution plans because the parametrised query will always been the same string with only the params changing.

Anyway yes, off-topic