|PHP Developers Network
|Page 1 of 1|
|Author:||CaliberWebMedia [ Thu Dec 01, 2011 12:36 pm ]|
|Post subject:||Any input?|
I’ve been working on a web content management system and I’m wondering if my security precautions are enough or if I’m forgetting anything?
- form token and another token with user-agent stored in it for good measure?
- One way encrypted passwords, password strength tester, users names follow specific format
- Sql injection
- All incoming data is sanitized
- Form spoofing has been prevented
- Sessions are registered based on privileges
- Sessions and user-agent are checked for every page action and changed
- Sessions are registered with unique variables such as $_SESSION[‘1234d0n1y’];
- Sessions timeout after 15 minutes with my own script, also they are set to timeout after 30 minutes
- Sessions are stored in a directory with only this site
- All users have privileges
- All forms have a token
- All forms check the data posted verses the an array of expected data
- All data is sanitized
- Sql injection has been prevented
- Should I prompt for a password when a users updates sensitive data or deletes sensitive data?
- All include files are in a password protected directory
- All errors are logged and reported to me
- Pretty much everything is monitored
- Program does not store any sensitive data, however if it were to be hacked malicious users could delete all data
- All data that is posted is checked to see that it is the data it should be, data, integer, string, etc..
- Some special characters are blocked… unless using WYSIWYG editor.
- All file uploads only allow specific file types, not sure about something like… image.php.jpg or visa versa?
- Anything I’m forgetting?
|Author:||social_experiment [ Thu Dec 01, 2011 1:40 pm ]|
|Post subject:||Re: Any input?|
|Page 1 of 1||All times are UTC - 5 hours|
|Powered by phpBB® Forum Software © phpBB Group