PHP Developers Network
http://forums.devnetwork.net/

Any input?
http://forums.devnetwork.net/viewtopic.php?f=34&t=133219
Page 1 of 1

Author:  CaliberWebMedia [ Thu Dec 01, 2011 12:36 pm ]
Post subject:  Any input?

Security Precautions
Overview
I’ve been working on a web content management system and I’m wondering if my security precautions are enough or if I’m forgetting anything?
Login
- form token and another token with user-agent stored in it for good measure?
- One way encrypted passwords, password strength tester, users names follow specific format
- Sql injection
- All incoming data is sanitized
- Form spoofing has been prevented
Sessions
- Sessions are registered based on privileges
- Sessions and user-agent are checked for every page action and changed
- Sessions are registered with unique variables such as $_SESSION[‘1234d0n1y’];
- Sessions timeout after 15 minutes with my own script, also they are set to timeout after 30 minutes
- Sessions are stored in a directory with only this site
CRUD
- All users have privileges
- All forms have a token
- All forms check the data posted verses the an array of expected data
- All data is sanitized
- Sql injection has been prevented
- Should I prompt for a password when a users updates sensitive data or deletes sensitive data?
Other
- All include files are in a password protected directory
- All errors are logged and reported to me
- Pretty much everything is monitored
- Program does not store any sensitive data, however if it were to be hacked malicious users could delete all data
- All data that is posted is checked to see that it is the data it should be, data, integer, string, etc..
- Some special characters are blocked… unless using WYSIWYG editor.
- All file uploads only allow specific file types, not sure about something like… image.php.jpg or visa versa?
- Anything I’m forgetting?

Author:  social_experiment [ Thu Dec 01, 2011 1:40 pm ]
Post subject:  Re: Any input?


Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/