Security issues

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
chris12295
Forum Contributor
Posts: 113
Joined: Sun Jun 09, 2002 10:28 pm
Location: USA
Contact:

Security issues

Post by chris12295 »

I have a databse with user information and a login script and I need some expert advice on how to keep the information secure so people cant retrieve information from the database or run malicious code using my scripts. Whats are best ways to keep my scripts and database secure?
Galahad
Forum Contributor
Posts: 111
Joined: Fri Jun 14, 2002 5:50 pm

Post by Galahad »

Encrypting your users passwords is good. I've used the function Password() but can't find it on the online php manual anymore. crypt() does the same thing, maybe it's just a new name. Store the encrypted password, too. That way there are no plain text passwords stored so no one (including database admins) can figure out someone's password. This isn't the solution to db security, just a good idea.
chris12295
Forum Contributor
Posts: 113
Joined: Sun Jun 09, 2002 10:28 pm
Location: USA
Contact:

Post by chris12295 »

Thank you, that is exactly what I need just tidbits and advice that you learn along the way. Anything like that is appreciated GREATLY!!!!

:D
User avatar
RandomEngy
Forum Contributor
Posts: 173
Joined: Wed Jun 26, 2002 3:24 pm
Contact:

Post by RandomEngy »

Yeah, on my database I use md5() to encrypt the passwords. Before storing them in the DB I run the password through md5() then I run a submitted password through md5() before comparing it with the password in the database.
chris12295
Forum Contributor
Posts: 113
Joined: Sun Jun 09, 2002 10:28 pm
Location: USA
Contact:

Post by chris12295 »

come on there have to be more suggestions, someone post up your expertise. :wink:
User avatar
martin
Forum Commoner
Posts: 33
Joined: Fri Jun 28, 2002 12:59 pm
Location: Cambridgeshire

Post by martin »

I think you'll find most issues covered here:
http://forums.devshed.com/showthread.ph ... t=security
User avatar
llimllib
Moderator
Posts: 466
Joined: Mon Jul 01, 2002 2:19 pm
Location: Baltimore, MD

Post by llimllib »

keep your include files, and especially the one that contains your db username and password, in a location on your hard drive that is not accessible in the web documents directory.
For example, if your webserver serves documents from "c:\web", keep your include files in "c:\php\includes". This will prevent anyone from stumbling on your database name and password unless they gain filesystem access to the whole system.
jason
Site Admin
Posts: 1767
Joined: Thu Apr 18, 2002 3:14 pm
Location: Montreal, CA
Contact:

Post by jason »

Here are some good tutorials on XSS matters.

http://www.phpadvisory.com

However, above all else, here is the one thing that will pretty much solve 99% of the security problems out there:

NEVER TRUST DATA COMING FROM THE USER.

If you always code like all your data from the user is bad, malicious hacking type stuff, you should do fine.
Post Reply