Jamroom PHP Scripts and Security
It is important at this time that we look into the issue of PHP script and Web Application Security.
Now that you are developing a Jamroom Module it is important that you use the proper Jamroom library functions to ensure your module is secure - if your module is not secure, it may allow someone to gain unauthorized access to your Jamroom.
Using the "IN_JAMROOM" check
One of the first things we can do is to make sure our PHP scripts are not being called "outside" the Jamroom framework. The easy way to do this is to be sure that you have the following check at the top of EVERY one of your PHP scripts that is in your module directory (this does NOT go in any of your Form Controller scripts located in the Jamroom main directory):
defined('IN_JAMROOM') or exit();
How this works is that Jamroom's main "includer" (jamroom/include/jamroom-include.inc.php) sets a special PHP constant called "IN_JAMROOM" to true. If this constant is not "defined" when your script is called, you need to exit, since it means someone is trying to call your script "outside" of Jamroom by linking directly to the script. If you do not do this, then there can be a security vulnerability caused by allowing PHP scripts and functions to be run outside of the scope with which they were intended (and can be especially problematic on sites with the PHP Register Globals setting turned on - Jamroom does not use Register Globals, and Register Globals can be disabled without issue on a Jamroom site).
Use jrHtmlFormTokenValidate()
A new form of Web based attacked is called a "CSRF Attack" (Cross Site Request Forgery):
http://en.wikipedia.org/wiki/CSRF
This form of attack is removed in Jamroom by making sure you use the jrHtmlFormTokenValidate() function whenever you receive the "post" from a Form Controller script.
jrHtmlFormTokenValidate();
How this works is that when a Form Controller script loads up a Control Panel form, Jamroom adds a special "token" to the user's Session. Then, when the user submits the form, the jrHtmlFormTokenValidate() function will verify that the form request came from the user - not from a 3rd party. This prevents CSRF attacks in your Jamroom Control Panel.
Use dbEscapeString()
Another form of web attack is called an "SQL Injection" attack. This type of attack occurs whenever we take unfiltered data from a posted form and use it directly in a database query:
http://en.wikipedia.org/wiki/SQL_Injection
The good news is that you can prevent this type of attack in Jamroom by using the Jamroom dbEscapeString() function:
$req = "INSERT INTO table (value_1,value_2)
VALUES ('". dbEscapeString($_post['value_1']) ."','". dbEscapeString($_post['value_2']) ."')";
The dbEscapeString() function will "escape" the data for the database column, and ensure any special characters have their special meaning removed, before running the SQL query on the MySQL database. It is VERY important that this be done for all text-based fields, and all numerical fields should be checked that a number is received instead of a string. Another good practice when writing SQL queries is to ensure all of your "values" are surrounded by single quotes - even if the value is numerical. This will add an additional layer to prevent SQL injections from being crafted.
Use checkType()
Another handy function that Jamroom provides is the checkType() function - this function will check the "type" of a value and ensure it is of a given type. If it is not, the function will return false so you can notify the user appropriately.
if (!checkType($_post['value'],'email') {
echo "you did not enter an email address!";
}
there are many different "types" that the checkType function can test - for a full list make sure and check out the Function Reference entry for checkType().
Check the user_band_id value
If your module will allow users to enter and delete information from a Jamroom database table that is shared among all Jamroom profiles, then you need to make sure any update/delete SQL queries reference the user's user_band_id value - this ensures that the user cannot delete or change any data that is not their own:
$req = "DELETE FROM table
WHERE some_id = '5'
AND band_id = '{$_user['user_band_id']}'";
Of course this is just an example and would need to be properly written for your table and column names.
|