I've been studying PHP/MySQL for a little while now and believe that security is the most important thing when creating sites where users can insert data.
A friend sent me a book that breaks down security like this:
If possible, don't use globals, turn off error messages, turn off the open_base_dir, turn off allow_url_fopen, and don't use eval() or any of the similar codes...
Use locations above the root folder for important connection info and includes files if possible...
If you use folders, like an includes folder, give it a unique name, ie something like L20j2jmsA02rm...
For user input and output, use the mysql_real_escape, htmlentities, make_safe.. Sanitize BOTH input AND output..
Make sure extensions are all .php
Turn off directory listings/make sure an index file is in each folder...
Limit number of failed login attempts (for user management scripts)...
Create the DB user with limited abilities, ie only select, update, insert...
Limit and verify all input field lengths..
Use dedicated hosting...
Use POST, not GET..
Use UTF-8 encoding..
Frame breaking javascript...
Use captcha...
Lastly, create a unique token for each session and destroy the session at end.
Any other suggestions or tips?
Security in a nutshell?
Moderator: General Moderators
Re: Security in a nutshell?
The MySQL extension is deprecated. Don't use it. Use PDO and prepared statements. Your DB user is definitely going to need CRUD privileges, just be sure to grant that user privileges only to the database being used by your application.use the mysql_real_escape
Don't limit password length. You're going to be storing a hash of the password, not the password itself, so the length will always be the same.Limit and verify all input field lengths..
Dedicated hosting ain't cheap and is very often going to be more than you need. Shared hosting or VPS is fine.Use dedicated hosting...
They both have their place. Ignoring the fact that most page requests will be GET requests, search forms are an ideal example use case for using GET over POST as it makes it easy to bookmark/share the results.Use POST, not GET..
Re: Security in a nutshell?
I just noticed the book is a couple years old now...
And I probably should have phrased the limit and verify all lengths statement... What I meant was, if a user is entering their age for example, verify it's not more than 3 numbers, make sure it's only number, etc.. The more complex the password the better I agree so I would never limit a user from entering a long password.
The hosting thing I wasn't sold on in the book either..
And I just briefly read the POST/GET argument in the book and it basically said it prevents something about framing a page and stealing info or something...
But if that's the only comments then I'm gonna take it as a good book to go with to continue learning... Thanks Celauran.
And I probably should have phrased the limit and verify all lengths statement... What I meant was, if a user is entering their age for example, verify it's not more than 3 numbers, make sure it's only number, etc.. The more complex the password the better I agree so I would never limit a user from entering a long password.
The hosting thing I wasn't sold on in the book either..
And I just briefly read the POST/GET argument in the book and it basically said it prevents something about framing a page and stealing info or something...
But if that's the only comments then I'm gonna take it as a good book to go with to continue learning... Thanks Celauran.
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
Re: Security in a nutshell?
Also online is a free (if incomplete) reference for certain topics: http://phpsecurity.readthedocs.org/en/latest/
Disclosure: I wrote it.
The problem with security books, and especially PHP security books, is that are limited by both size and topic coverage. Consider them a basic foundation only. You should also do your own research online for each topic and take a look at code written to a high standard.
P.S. This is my first post here since 2009. I see my old account and 1990s internet handle are still intact
Disclosure: I wrote it.
The problem with security books, and especially PHP security books, is that are limited by both size and topic coverage. Consider them a basic foundation only. You should also do your own research online for each topic and take a look at code written to a high standard.
P.S. This is my first post here since 2009. I see my old account and 1990s internet handle are still intact