Right now I'm learning about the CakePHP framework, and I just wanted to know what makes CakePHP secure. How secure are its components like for example how secure is the authentication component. Also, what can we do as developers to increase the security of our CakePHP base web application?
Also do you guys recommend any books or sites to learn more about CakePHP security?
Hope to hear from you guys soon.
Thanks
Leo: Some sites don't need high levels
of security and they can give a
performance hit. Others must be
inviolable.
Sorry Leo, but i disagree. Every site you build, you do so with the utmost care of security in mind. Regardless of what type of site it is. Suppose for example you've built this very tight superduper hackersafe site. You host it on a shared server, and guess what.. Someone got access to your safe site via a hole in your less safe site. Or even the entire server.
I know, its a doom theory but i believe stuff like this happens on a daily bases.
Cake follows best practices in many areas, and has pretty secure tools built-in comes with infrastructure that already has many typical areas of webapp security covered to some degree. You won't need to worry much about SQL injection for example, since Cake's database abstraction escapes all input. Where it doesn't, the manual warns you appropriately:
updateAll(array $fields, array $conditions)
! The $fields array accepts SQL expressions. Literal values should be quoted manually.
Using the SecurityComponent you get automatic form spoofing protection.
Data validation is a big integrated part of models.
The AuthComponent hashes and salts passwords properly, though not necessarily in the most secure manner possible.
There's a handy h() shortcut for htmlentities that you should use to escape output to avoid XSS problems.
Et cetera perge perge...
You will still have to use all the components correctly though and be careful not to open any "custom" holes. Cake is only a toolbox, it's still perfectly possible to build a horrendously insecure application using it. You can still shoot yourself in the foot, no matter how good the gun. The default Cake structure is only a starting point. It's not the end-all-be-all in terms of security; think for yourself. The link provided by John is indeed a good starting point.
The CakePHP framework has been around for quite some time (since 2005) and is open source software. This means its code is available for review by any developer, or non-developer, who wishes to do so. Both the CakePHP community and security communities have had ample time to review the code base and find/correct potential security issues. That doesn't mean that the software is perfect but with CakePHP being so popular you can bet it's been reviewed quite thoroughly and if there are any flaws in it they are deep and very difficult to find/identify.
But keep in mind, just because the code in the framework is secure doesn't mean using it makes your code secure. You still need to follow secure coding practices because your code base can be vulnerable regardless of the security level of the framework you use.
Cake security is pretty good, but everything has holes. For an ultra secure site, I'd be researching known security holes and blunders and testing the site against those cases. It simply isn't enough to rely on someone else's statement of a degree of security.
Some sites don't need high levels of security and they can give a performance hit. Others must be inviolable.
All said, I'm impressed with Cake's inbuilt security and haven't had to modify it yet.
Related
I'm starting to work on my biggest project yet and if it's succesful it's going to be used by thousands of users. Unfortunately my experience in PHP has been limited to smaller projects only used in limited and closed groups of people or private usage so security never was my biggest concern. I want to create the most secure system possible but I can't find any good reference.
What should I know about securing a login system or storing sensitive data input by users? Is there any book you can recommend or a comprehensive guide? Or should I buy/use a premade system? I realize perfecting it is going to take a lot of time and I'm willing to invest it for it to be as secure as possible. I've already read up a lot about security and what to look for but I want to be sure I didn't miss anything. Also I couldn't find any confirmed secure code example apart from this. Is this all I need to know?
Is there any book you can recommended or a comprehensive guide?
Owasp.org Is a good starting point.
Or should I buy/use some premade system?
Using a pre-made system like WordPress or a framework is a good starting point to achieve a good security (because you use the code that a "more expert coder" write for you).
Is all that I need to know?
Nope. There are a lot of things that come with experience. Also there are a lot of things that are normally out of scope for a coder.
Hey guys I'm developing a website and first project with a group of friends and would like to know if we have covered all the basis, please let me know if I have missed anything out.
Website itself, this will be made up of HTML, JavaScript and PHP(communicate with database)
Database, straightforward mysql.
I would like to know if there is anything we should worry about, e.g. any security concerns, I have completed websites and databases previously but never joined them.
There will be no purchases through the website and its mainly for information and communication between employees.
Thanks for your help
As a novice there is probably some security holes in your php code. Make sure to understand what is an SQL injection and XSS and check if your code is safe before you release it.
You could look at using a framework (there are several out there for PHP, like Zend or Cake). The advantage of this is that the framework takes care of some things for you (authentication, for example) and provides a bit of hand holding.
If this is your first large database-backed website, your code is likely to be a mess... a good MVC framework can force you to do things properly (making maintenance easier).
If you are not using a framework (well, heck, even if you are), please read and understand everything in the PHP Manual page on SQL Injections.
I wouldn't be surprised if this question were closed as too broad or not a real question, but couldn't pass up the opportunity to say "understand SQL injections and avoid them."
I'm about to start building a fully functional penny auction script (something like bidhere.com) in PHP/MySQL.
I know PHP preety good and have no trouble using the manual.
My question is: Should I learn some of the PHP frameworks and use one of them in completion of a project this sized?
Since you are dealing with money, using a framework might help you in the security front. A lot of the really good frameworks have been hardened against basic hacks (e.g. sql injections) so I would recommend using a framework.
If you write everything by yourself, you run the risk of being attacked and losing information (or worse, money).
Just my 2 cents (does that mean I get 2 free bids?!?)
Using a framework will mean you're not re-inventing the wheel.
It will also keep you abreast of new security patches, and you will have confidence that attacks like CSRF and XSS have had measures implemented against them.
They're by no means perfectly secure, however, it will remove a lot of worry from your mind, and the minds of your clients if you choose to sell/lease the script.
Frameworks are a good idea in general. Since the framework is usually native to the language, you are really just extending your reach into the language itself.
Frameworks keep you from having to write code that has already been thought about and implemented elsewhere. But also frameworks tend to offer many other benefits as well, such as MVC code organization, handy HTML Form/Url helpers (codeigniter), independent 3rd party modules (drupal), and a slew of easy to manage configurations.
Having access to ready-made code makes your job easier and allows you to be more graceful and efficient in your implementation.
That being said there is no preset rule that you have to use a framework, if you know what you are doing, you have a straight-forward scope/objective and the task at hand is not complex, then just using raw PHP would benefit in this case, especially due to the fact that different frameworks have differing learning curves.
Certainly a framework, but which one. Points to consider:
If you are dealing with the backend operations, you better create backend separate from fronted. That's what Models are used for. You would need a framework which separates business logic from the presentation logic.
If you will use lots of forms and user interactivity on the site, then you need to have PHP UI framework. That would help you not to worry about how you are going to submit forms and focus on functionality.
If you are familiar with few of the frameworks, then stick with them. If you haven't used yet, then shop around. There are few general purpose ones which you have heard of, but then there are some you haven't heard of. Compare them and see which will get you from A to B within minimum time and effort.
I am building a site that requires a lot of MySQL inserts and lookups from different tables in a (hopefully) secure part of the site. I want to use an abstraction layer for the whole process. Should I use a PHP framework (like Zend or CakePHP) for this, or just use a simple library (like Crystal or Doctrine)?
I would also like to make sure that the DB inserts are done in a relatively secure part of the site (though not SSL). Currently, I am using the method outlined here (MD5 encryption and random challenge string), but maybe some of the frameworks come with similar functionality that would simplify the process?
What I'm trying to implement: a table of forms filled out with DB values. If you change a value or add a new row, pressing "save" will update or insert DB rows. I'm sure this has been done before, so I wouldn't want to reinvent the wheel.
Most PHP backends have secure access to a private database. Normally, there's little difficulty to keeping the database secure, mostly by not making it reachable directly. That way the security of access depends on the inability for anyone to tamper with the PHP code, and not any software security scheme.
I would recomend Symfony Framework for this. There is a great online tutorial on this at Practical Symfony.The Framework's Form class handles most of the security for you. It also has a nice login plugin to make the application secure.
Unless by Data Abstraction you mean an implementation of a Data Access Patterns like ActiveRecord or Table Data Gateway or something ORMish (in both cases you should update your question accordingly then), you don't need a framework, because PHP has a DB abstraction layer with PDO.
It sounds like you are really asking two different questions. One being should I use a framework (Zend, Symfony, Cake, etc) for the development of a website? The other being whether or not to use something along the lines of an ORM (Doctrine, Propel, etc)?
The answer to the first one is a resounding "yes". Frameworks are designed to keep you from having to reinvent the wheel for common/basic functionality. The time you spend learning how to (correctly) use a framework will payoff greatly in the long run. You'll eventually be much more productive that "rolling your own". Not to mention you'll gain a community of people who have likely been through similar situations and overcome issues similar to what you will face (that in and of itself could be the best reason to use a framework). I'm not going to suggest a particular framework since they all have strengths and weaknesses and is another topic in and of itself (however, I do use and prefer Zend Framework but don't let that influence your decision).
Concerning whether or not to use an ORM is a slightly more difficult question. I've recently began to work with them more and in general I would recommend them but it all boils down to using the right tool for the right job. They solve some specific problems very well, others not so much. However, since you specifically mention security I'll quickly address that. I don't think that a ORM inherently "increases security", however it can force you into making better decisions. That said, bad coding and bad coding practices will result in security issues no matter what technology/framework you are using.
Hope that helps!
As a web developer I am using PHP and I know that I have to worry about security but when you use a framework, there is a lot-of code and design that you relay on but that you didn't code or design and for instance I am using CakePHP.
so in this case with frameworks how much should i worry about security ?
You should always continue respecting the basic principles of security :
don't trust the user
never trust the user
Which kinda means :
filter / validate everything that comes to your application
escape any output.
Using a framework doesn't change much about that, except that :
Output to the database often es some layer of the framework, which should deal with escaping
Frameworks often provide filtering / validation solutions ; use them ;-)
Frameworks often have some guidelines ; read them.
As a sidenote : you said this :
there is a lot-of code and design that
you relay on but that you didn't code
or design
Considering you are using a well-known framework that lots of people use, this code has probably been more tested/reviewed than any code you could write ;-)
That's an advantage of open-source, actually : you are not the only one responsible for the code, and lots of eyes have seen it -- which means lots of hands have enhanced it.
There are a lot of things to consider when dealing with security in an application. As Pascal said, it is a good idea to use a popular framework that has had a number of people looking at it.
I see a few areas of concern in regards to CakePHP.
The first issue is the end user. You should expect someone to do something foolish on every page you build. Some examples of this are:
A person clicking the submit button rapidly over and over. This may skew or mess up your system in a way if you're not careful. The solution for this is not based on the framework, but rather your coding methodology and testing.
SQL Injection and other bad things. Any field on a page can be potentially abused, therefore every form element must be sanitized. CakePHP has simple methods to take care of these security issues. http://book.cakephp.org/view/153/Data-Sanitization
Clean URL's are very important. You should never design a system that allows a user to access integer primary keys directly. For instance, if you have a site that has /show_user/2098 then someone can simply type in show_user/2097 to see someone else's account. CakePHP allows you to incorporate slugs or UUID's quite easily, to prevent this from happening.
Second, you must be concerned with attacks dealing with the code and permissions itself. For example:
Never use eval() or system() in your code from data that may come from the end user. There have been applications in the past written in perl that have been hijacked because of this issue.
The folder structure and permissions is important in regards to security. Users should never have access to get into a writable directory. With CakePHP the folder structure is designed so that you can point apache directly to app/webroot. This means the tmp directory is outside of the apache path, making the system a bit more secure.
Third, you should be concerned with the protection of your administration pages and who has permissions to access what.
CakePHP has an Auth and an Acl component that allows you to choose what users get access to which pages. This makes use of custom Cake Sessions which can be stored in a database, by using PHP or written to the file system.
I would suggest reading up on some of the important components and being sure you set them up properly, to ensue you have built an application without security flaws. Take a look at some of these elements as you research further: http://book.cakephp.org/view/170/Core-Components
I suggest you check out ESAPI: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=PHP
It is not a framework per se, but does contain a lot of tools for the problems Pascal mentions.