Posts

Setting Cookie Secure Flag – PHP

Method #1 By using ini_set function

Add the following code on the page

ini_set("session.cookie_secure", 1);

Method #2 By using session_set_cookie_params function

Add the following code on the page:

session_set_cookie_params(0, NULL, NULL, TRUE, NULL);

Method #3 By using setcookie function

Add the following code when creating cookie:

setcookie("name", "value", NULL, NULL, NULL, TRUE, NULL);

References

https://www.owasp.org/index.php/SecureFlag
http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php

Setting the HttpOnly Flag – PHP

PHP supports setting the HttpOnly flag since version 5.2.0 (November 2006).

For session cookies managed by PHP, the flag is set either permanently in php.ini through the parameter:

session.cookie_httponly = True

Method#1 By using ini_set function before using setcookie function.

Add the following code on the page:

ini_set("session.cookie_httponly", 1);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE); 

Method#2 By using session_set_cookie_params function before using setcookie function

Add the following code on the page:

session_set_cookie_params(0, NULL, NULL, NULL, TRUE);
setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE);

Method#3 By using setcookie function

Add the following code while creating cookie (not necessarily a session cookie):

setcookie("name", "value", NULL, NULL, NULL, NULL, TRUE); 

References

http://php.net/manual/en/function.setcookie.php
http://php.net/manual/en/function.session-set-cookie-params.php

http://php.net/manual/en/session.configuration.php#ini.session.cookie-ht…

Prevention of Web Page Caching – PHP

Method

Add the following codes into the page, in order to prevent the page being cached

header('Cache-Control: no-cache, no-store, must-revalidate');
header('Pragma: no-cache'); 
header('Expires: 0');

Reference

http://wiki.asp.net/page.aspx/1487/prevent-browser-caching-of-web-pages-…
https://www.owasp.org/index.php/Testing_for_Logout_and_Browser_Cache_Man…(OWASP-AT-007)

SQLi – PHP Secure Coding

Method #1
Escaping special characters in a string for use in an SQL statement

<?php
  $name = mysql_real_escape_string( $_POST[‘name’] );
  $pwd  = mysql_real_escape_string( $_POST[‘pwd’] );
 
  $str_sql = "SELECT * from `tbl_users` WHERE " .
             "usr_name=’" . $name . "’ AND " .
             "usr_pwd=’" . $pwd . "’";
 
  $result = mysql_query( $str_sql ) or die ( mysql_error() );
?>

Method #2
Using prepared statements and parameterized queries:

Case #1
While connecting to database

<?php
  $pdo = new PDO('mysql:dbname=db;host=127.0.0.1;charset=utf8', 'username', 'password');

  $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
  $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
?>

Case #2
While retrieving data

<?php
  $stmt = $pdo->prepare('SELECT * FROM tables WHERE name = :name');
  $stmt->execute(array(':name' => $name));
  foreach ($stmt as $row) {
      echo $row[0];
  }
?>

Case #3
While inserting

<?php
   $preparedStatement = $pdo->prepare('INSERT INTO table (column) VALUES (:column)');
   $preparedStatement->execute(array(':column' => $unsafeValue));
?>

This technique can also be applied in case of update and delete.

References
http://php.net/manual/en/security.database.sql-injection.php
http://php.net/manual/en/function.mysql-real-escape-string.php
http://php.net/manual/en/book.pdo.php

Anti CSRF Token – PHP

 

1. Add a unique token to the hidden field of user form on submit and store it on the session. Add the following codes to achieve this.

  <?php
     $token = md5(uniqid(rand(), TRUE));
     $_SESSION[“token_$token”] = time();
  ?>
  <form action="login.php" method="post">
    <input type="hidden" name="token" value="<?php echo $token; ?>" />
    <p>
     Username: <input type="text" name="username" /><br />
     Password: <input type="text" name="password" /><br />
     <input type="submit" value="Login" />
    </p>
  </form>

2. Before processing, validate the token on serverside.

  <?php
    if (isset($_SESSION['token_' . $_POST['token']])
    {
       // prevent use the token twice
       unset($_SESSION['token_' . $_POST['token']]);

      /* Valid Token */
    }
  ?> 

3. The validity of token can also be limited

  <?php
     $token_age = time() - $_SESSION['token_time'];
     if ($token_age <= 600)
     {
        /* Less than ten minutes has passed. */
     }
  ?>

References
https://www.owasp.org/index.php/PHP_CSRF_Guard

XSS – PHP Secure Coding

Case #1

HTML escape before inserting untrusted data into HTML element content.

<?php
  $str=$_POST["data"];
  $str_safe=htmlspecialchars($str, ENT_QUOTES);
?>
<h1><?php echo $str_safe; ?></h1>

Case #2

JavaScript escape before inserting untrusted data into JavaScript data values.

<?php
  $str=$_POST["data"];
  $safe=strip_tags($str);
?>
<script>alert("<?php echo $safe; ?>");</script>

 

References
http://php.net/manual/en/function.htmlspecialchars.php
http://php.net/manual/en/function.htmlentities.php
http://in3.php.net/strip_tags