How to make your Modules Secure

This page contains some basic advice for security and good practice.

Uninitialised variables

More recent versions of PHP require you to ensure a variable is set before trying to use it.

This also applies to array indices; for example:

$pageNumber = $_GET['page'];

would cause a PHP error if $_GET['page'] was not defined. Better would be:

$pageNumber = isset($_GET['page'])? $_GET['page'] : 1;

or if you're using Zenario's library functions:

$pageNumber = ifNull(get('page'), 1);

Input

Never trust any input from any external source. You must ensure that you always sanitise your variables. In order to promote more readable source, at Zenario we insist that variables are sanitised at the point where they are used.

For example this chunk of SQL is BAD:

$sql = "
SELECT name
FROM table
WHERE id = '". get('id'). "'";

Your SQL should be more like this:

$sql = "
SELECT name
FROM table
WHERE id = '". mysql_real_escape_string(get('id')). "'";

Or if id is an integer, more like this:

$sql = "
SELECT name
FROM table
WHERE id = ". (int) get('id');

As another example, the following output to the screen would be BAD:

echo get('name');

A better example would be:

echo htmlspecialchars(get('name'));

This principle applies for SQL, the output of data to the browser, and any other places or ways an input from an external source is used.

Please note than an external source is not just the $_GET and $_POST requests, but also includes data from the database and data read from files.

Input and API Functions

Beware handing untrusted input to an API function, where the API function expects its input to be already escaped.

For example the following PHP code is BAD:

$mergeFields = array();
$mergeFields['Name'] = get('name');
$this->framework('Outer', $mergeFields);

as the framework API function takes HTML, not plain text, and the Name merge field should have been escaped.

To contrast the above example, the following code is fine:

getRow('table', 'name', array('id' => get('id'));

as the getRow function escapes its inputs.

Further Information and Advice on PHP and Website Security

There are plenty of resources available on the internet, for example http://cwe.mitre.org.