Search code examples
phpmysqlsecurityxsssql-injection

Is there anything I need to worry about besides SQL injections and XSS attacks?

I'm finishing up my first "real" PHP application and I am trying to make sure it is secure. I'm kind of afraid that since I'm not an "expert" PHP programmer that I might be missing something huge, so I would like to give you some information about my application and hopefully you can tell me whether or not that is the case. So here we go:

  • I'm using a CMS to handle user authentication, so I don't have to worry about that.
  • After discovering PDO shortly after starting work on my application, I ported all of my code over to using prepared statements with PDO.
  • I am escaping all form and database data (even stuff I think is safe) which is being output with htmlentities().
  • My application does use a session variable and cookie variable, but the function of both is very unimportant.
  • I have designed my form processing functions in such a way that it doesn't matter if the form were somehow altered, or submitted from off-server (i.e. I always check the data submitted to ensure it's valid).
  • I have done my best to make all error messages and exception messages polite but very obscure.
  • I'm forcing pages with sensitive information (such as the login page) to be served over https.

When I first starting writing my application, I didn't know about prepared statements, which is kind of a huge deal. Have I missed anything else?

Solution

  • OWASP maintains a list of the Top 10 Most Critical Web Application Security Risks (warning, PDF download). This is from 2010, but I think it still applies, perhaps even moreso now.

    Injection and XSS are the top two, but you should certainly be aware of the other 8. If you are using an existing CMS, many of these may already be considered, but the more popular the CMS the more you risk running into vulnerabilities because of black hats trying to find holes in it.

    If you are not storing critical data like credit cards, order history, addresses, and even emails, then I wouldn't worry too much about your site being affected as long as you are taking the basic precautionary measures (and it sounds like you are).