Security noob here, need help...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
WithHisStripes
Forum Contributor
Posts: 131
Joined: Tue Sep 13, 2005 7:48 pm

Security noob here, need help...

Post by WithHisStripes »

Heya,
So I'm launching my new site tomorrow and I built this puppy with a project manager from the ground up. Clients can update their contact information, that sends me an email with a vCard including the updated information, they can rate my work on their projects, assign tasks which are then published to a calendar, view and comment in existing designs, and a few other things. That being said, all of the files that enable a user to do those things are in a directory called "nodes", index.php includes those files when their requested by the user.

My question is, are those files secure? What can I do to ensure they are? I assume starting with preventing direct access using .htaccess?

Also, my database connection file is included in my root, is that secure?

Thanks! (And forgive my lack of intelligence with security, I know I probably sound a little ridiculous)
freelancer4
Forum Newbie
Posts: 1
Joined: Mon Jun 01, 2009 4:46 am

Re: Security noob here, need help...

Post by freelancer4 »

Hi,

Thats really good to hear that you are reviewing the security of your website. I would like to suggest you few things about security.

1. Security is not only related to direct access of your file such as connection files etc.
but also you have to make sure that that ever and where ever you are taking input from the users, you should always filter the data.
2. your application should be good enoughf to prevent SQL Injections, Spoofed Forms, Cross Site Scripting,Cross site Request Forgeries,Remote Code injection, and more over your database.

3. PHP and mysql both have built-in functions and classes that can be used to prevent the above things.

I hope this helps you.
http://www.freelancer4.com
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Security noob here, need help...

Post by kaisellgren »

WithHisStripes wrote:My question is, are those files secure? What can I do to ensure they are? I assume starting with preventing direct access using .htaccess?
.htaccess can prevent a direct access to those files, but this does not inherently correlate to a secure environment.
WithHisStripes wrote:Also, my database connection file is included in my root, is that secure?
No one should ever have an access to that file, so, place it outside of the document root. No matter what files you have, if a file is not intended to be accessed directly - put it outside of your document root.

Disabling an access to files is just one part of a secure installation. Maybe you should ask someone to review your code in terms of security? You can also show us your code here, and we can take a look at it, too.
Post Reply