Page 1 of 1

Security Precautions

Posted: Wed Jan 07, 2004 4:30 am
by CraniumDesigns
Ok. I am developing my first super major php driven community site and I need to make sure all login/pass info and anything else I want is secure and not readable, especially my inc files. How can I go about doing this? What are some general security precautions that should eb taken before a site of this magnitude is published?

Posted: Wed Jan 07, 2004 4:35 am
by m3mn0n
Off the top of my head, um...
  • Use .htaccess to Force .inc's to be processed by the server like .php so they cannot be read when accessed.
  • Use md5() encryption for your passwords.
  • Read various articles around the web for security tips aswell as the replies in this post

Posted: Wed Jan 07, 2004 4:57 am
by lazy_yogi
put ur include files, config files, and classes in a hte directory below public_html which is not accessible over the web.

Re: Security Precautions

Posted: Wed Jan 07, 2004 6:28 am
by Roja
CraniumDesigns wrote:Ok. I am developing my first super major php driven community site and I need to make sure all login/pass info and anything else I want is secure and not readable, especially my inc files.
- Minimize the amount that has to be stored in .inc files
- Make your .inc files .inc.php files with a 'cannot access directly' header
- Use htaccess to prevent direct access of the .inc.php files
- Use good coding practices like defining variables and not trusting user input.

Those are good general approaches to ensuring general security and preventing direct access to your .inc files.

As to login/pass info, it can be more complex.

First and foremost, md5() the password against a time-based session stamp. By doing so, you remove the ability to sniff the password cleartext (its sent in md5 form), and you reduce the amount of time the attacker can do a replay attack to roughly 5-15 minutes (while the user is logging in).

If you also ensure that the session stamp clears upon login, then it will be virtually impossible to replay the login!

Of course if you really want HIGH security, you should use SSL, but a solid CHAP/md5 login sequence (as described above) should get you most of the security you'll need.

More information on CHAP logins (with example backend scripts in php) available here: http://pajhome.org.uk/crypt/md5/chaplogin.html

More infomation on md5 passwords via javascript (again, with example scripts) available here: http://pajhome.org.uk/crypt/md5/

That is the method Yahoo uses for sections that don't use SSL.

Re: Security Precautions

Posted: Wed Jan 07, 2004 12:12 pm
by scorphus
CraniumDesigns wrote:(...) I want is secure and not readable, especially my inc files. How can I go about doing this? (...)
There is a tutorial posted by jason on this matter: Protecting your .inc files.

Regards,
Scorphus.

Posted: Sun Jan 11, 2004 10:15 pm
by McGruff
Impossible to cover all the bases in a single post but another piece of the jigsaw is the mysql permissions system (ordinary users with minmal permissions, admin users with greater premissions).