Security Precautions

Not for 'how-to' coding questions but PHP theory instead, this forum is here for those of us who wish to learn about design aspects of programming with PHP.

Moderator: General Moderators

Post Reply
CraniumDesigns
Forum Newbie
Posts: 18
Joined: Fri Nov 07, 2003 1:35 am

Security Precautions

Post by CraniumDesigns »

Ok. I am developing my first super major php driven community site and I need to make sure all login/pass info and anything else I want is secure and not readable, especially my inc files. How can I go about doing this? What are some general security precautions that should eb taken before a site of this magnitude is published?
User avatar
m3mn0n
PHP Evangelist
Posts: 3548
Joined: Tue Aug 13, 2002 3:35 pm
Location: Calgary, Canada

Post by m3mn0n »

Off the top of my head, um...
  • Use .htaccess to Force .inc's to be processed by the server like .php so they cannot be read when accessed.
  • Use md5() encryption for your passwords.
  • Read various articles around the web for security tips aswell as the replies in this post
User avatar
lazy_yogi
Forum Contributor
Posts: 243
Joined: Fri Jan 24, 2003 3:27 am

Post by lazy_yogi »

put ur include files, config files, and classes in a hte directory below public_html which is not accessible over the web.
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Re: Security Precautions

Post by Roja »

CraniumDesigns wrote:Ok. I am developing my first super major php driven community site and I need to make sure all login/pass info and anything else I want is secure and not readable, especially my inc files.
- Minimize the amount that has to be stored in .inc files
- Make your .inc files .inc.php files with a 'cannot access directly' header
- Use htaccess to prevent direct access of the .inc.php files
- Use good coding practices like defining variables and not trusting user input.

Those are good general approaches to ensuring general security and preventing direct access to your .inc files.

As to login/pass info, it can be more complex.

First and foremost, md5() the password against a time-based session stamp. By doing so, you remove the ability to sniff the password cleartext (its sent in md5 form), and you reduce the amount of time the attacker can do a replay attack to roughly 5-15 minutes (while the user is logging in).

If you also ensure that the session stamp clears upon login, then it will be virtually impossible to replay the login!

Of course if you really want HIGH security, you should use SSL, but a solid CHAP/md5 login sequence (as described above) should get you most of the security you'll need.

More information on CHAP logins (with example backend scripts in php) available here: http://pajhome.org.uk/crypt/md5/chaplogin.html

More infomation on md5 passwords via javascript (again, with example scripts) available here: http://pajhome.org.uk/crypt/md5/

That is the method Yahoo uses for sections that don't use SSL.
User avatar
scorphus
Forum Regular
Posts: 589
Joined: Fri May 09, 2003 11:53 pm
Location: Belo Horizonte, Brazil
Contact:

Re: Security Precautions

Post by scorphus »

CraniumDesigns wrote:(...) I want is secure and not readable, especially my inc files. How can I go about doing this? (...)
There is a tutorial posted by jason on this matter: Protecting your .inc files.

Regards,
Scorphus.
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Impossible to cover all the bases in a single post but another piece of the jigsaw is the mysql permissions system (ordinary users with minmal permissions, admin users with greater premissions).
Post Reply