Who can access your admin page?

Normally, the answer to that question would be: the administrator of the website. Well… not always. By now you all heard of mysql injection. At this moment, I have knowledge of at least 5 websites developed by WEB COMPANIES (yes, you read it well, those companies that have on the index page of their website the words: WE ARE PROFESSIONALS) that have breaches in the security.

So, how does that happens? It quite simple actually. As you might have read in the PHP Security article, you simply continue the SQL query with some well chosen words. I will not repeat that here. What I will do is tell you how to avoid that.

Before telling you what you can do, I must tell you: REGISTER_GLOBALS must be OFF. Even if it is on (unlikely but possible), you must create your scripts as if it was off. This is the first thing you MUST do.

Some people use the mysql_magic_quotes() function in order to sanitize the script. Well, it’a a good idea, but what happends if your local installed server has the function accessible and the web server does not? You go to sleep in the evening feeling safe and you wake up in the morning being hacked. And that sucks.

So, what I recommend is the old way: addslashes(), htmlspecialchars() and preg_match(), preg_replace() and whatever you find safe. What I do is use a home made function called clean_vars(). It looks something like this:

1
2
3
4
5
6
7
8
9
10
11
12

        function clean_vars($var)
	{
		if(is_array($var))
		{
			$returns = array();
			foreach($var as $k => 	$v)
				$returns[$k] = addslashes(trim(strip_tags($v)));
			return $returns;
		}
		else
			return addslashes(trim(strip_tags($var)));
	}

This function will remove the HTML tags and will erase the spaces before and after the string and finally it will add slashes in front of every quote it will find to all variables coming from GET or POST. It uses that is_array() so that I will be able to pass it the whole array (and it preserves the keys) and have it returned in the same format but with the benefit of addslashes(), trim() and strip_tags().

Of course, it can be extended to use a whole set of sanitization functions. That will be your choice.

Hope this helps you. See you soon.

Was this useful? Show your support.