How to make a secure code?

system · May 23, 2012, 12:09pm

Hi all,

I am a complete amatuer at coding (I know a little c# bit very little about php) so hope you can help.

A while back I made a silverlight game and wanted to it to have a high score table. The game runs in the browser on the users computer so the only way I could think of to do this was by the game sending the users score to a php file on the server. The php then writes the score into an xml file also on the server. When the game wants to know the score it reads the xml file.

Only problem being my server account somehow got hacked and my website account was suspended (it had some kind of virus/malware and was sending out shed loads of junk emails.) My provider says it was likely due to my php file having vulnerabilities. If it happens again my account will be closed for good.

I naively made no allowance for making this script secure.

this was my code…

<?php $stringData = $_POST['table']; $name = $_POST['name']; $kill = $_POST['kill']; if ($stringData != "") { $ourFileName = "v6.xml"; $ourFileHandle = fopen($ourFileName, 'w') or die("can't open file"); fwrite($ourFileHandle, $stringData); fclose($ourFileHandle); mail( "[email protected]", "The game has been played by ".$name.". A total of ".$kill." baddies were zapped" ,$stringData, "[email protected]" ); } ?>

So this is my question…

How do I make my php secure? (the easiest way possible…!!)

And also does the read/write permissions of the files on the server have any bearing on this?

Hope you can help!

Many thanks,
Ian

Ojoshiro · May 23, 2012, 1:01pm

Well the most important thing to do is that you don’t allow anybody to do things on the server you don’t want them to do.
Some things you want to keep in mind are:

[ul][li]NEVER EVER use ‘eval’. ( If you think you have to, you’re doing something wrong )[/li]
[li]Don’t allow people to upload (save) PHP into a directory they can access from the outside.[/li]
[li] Be smart about emailaddresses, passwords and sensitive stuff like that. People can send them to you, but you never send them to them ( you just check them on the server )[/li]
[li]Do serverside checking. There are some smart froods outthere who know how javascript works and they know how to get around it.[/li][/ul]

I think this would make things safe enough for gamedata.

In your script the weakest link seems to be the ‘stringData’ being saved.

I hope this helps.
O.

Improvizionz · May 24, 2012, 7:23am

One thing I really notice here is you haven’t stripped the tags from the name, I’m not sure if the name is auto entered before the game or what, but where ever it is entered at it’s a giant problem, I’m really not large on knowing how to secure transfer data, but I am good at securing forms. If I may make a suggestions, it’s that instead of storing data in XML that is accessible, you should try MySQL, they are a lot more secure that a file that can be easily accessed.

But that’s my opinion, also, you could capture their IPs when they enter the data, so it can provide safety and look at IPs who visit often and see if they attempt any malicious tricks. If so, using PHP or CPanel you can deny their IP from accessing the site, if you need any help with what I just stated let me know and I will try to help, but O. seems to have a lot more knowledge on the subject, so you might want to ask him first.

Hope I help though, and be sure to PM me the link for the game, I’m always in the mood for some fun.

-Improvizionz

Ojoshiro · May 24, 2012, 7:39am

Eh, no, not really. ;D Just sharing a couple of rules I try to live by to keep things relatively secure.
( there is no absolute security, not on the net, not anywhere else )
The tip to store stuff in a database instead of a file is a good one.
If you’re going to play with rights to files and directories, I’m no help. ( at all ) The only state I know in *NIX environments is ‘777’ I’m far too trusting to be any good at security

Good luck.
O.