PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Mon Sep 24, 2018 5:45 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Security in a nutshell?
PostPosted: Fri Jan 03, 2014 6:09 pm 
Offline
Forum Newbie

Joined: Fri Jan 03, 2014 5:53 pm
Posts: 2
I've been studying PHP/MySQL for a little while now and believe that security is the most important thing when creating sites where users can insert data.
A friend sent me a book that breaks down security like this:

If possible, don't use globals, turn off error messages, turn off the open_base_dir, turn off allow_url_fopen, and don't use eval() or any of the similar codes...

Use locations above the root folder for important connection info and includes files if possible...

If you use folders, like an includes folder, give it a unique name, ie something like L20j2jmsA02rm...

For user input and output, use the mysql_real_escape, htmlentities, make_safe.. Sanitize BOTH input AND output..

Make sure extensions are all .php

Turn off directory listings/make sure an index file is in each folder...

Limit number of failed login attempts (for user management scripts)...

Create the DB user with limited abilities, ie only select, update, insert...

Limit and verify all input field lengths..

Use dedicated hosting...

Use POST, not GET..

Use UTF-8 encoding..

Frame breaking javascript...

Use captcha...

Lastly, create a unique token for each session and destroy the session at end.

Any other suggestions or tips?


Top
 Profile  
 
PostPosted: Fri Jan 03, 2014 6:25 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
Quote:
use the mysql_real_escape

The MySQL extension is deprecated. Don't use it. Use PDO and prepared statements. Your DB user is definitely going to need CRUD privileges, just be sure to grant that user privileges only to the database being used by your application.

Quote:
Limit and verify all input field lengths..

Don't limit password length. You're going to be storing a hash of the password, not the password itself, so the length will always be the same.

Quote:
Use dedicated hosting...

Dedicated hosting ain't cheap and is very often going to be more than you need. Shared hosting or VPS is fine.

Quote:
Use POST, not GET..

They both have their place. Ignoring the fact that most page requests will be GET requests, search forms are an ideal example use case for using GET over POST as it makes it easy to bookmark/share the results.


Top
 Profile  
 
PostPosted: Sat Jan 04, 2014 1:25 am 
Offline
Forum Newbie

Joined: Fri Jan 03, 2014 5:53 pm
Posts: 2
I just noticed the book is a couple years old now...

And I probably should have phrased the limit and verify all lengths statement... What I meant was, if a user is entering their age for example, verify it's not more than 3 numbers, make sure it's only number, etc.. The more complex the password the better I agree so I would never limit a user from entering a long password.

The hosting thing I wasn't sold on in the book either..

And I just briefly read the POST/GET argument in the book and it basically said it prevents something about framing a page and stealing info or something...

But if that's the only comments then I'm gonna take it as a good book to go with to continue learning... Thanks Celauran.


Top
 Profile  
 
PostPosted: Tue Jan 21, 2014 5:14 am 
Offline
DevNet Master
User avatar

Joined: Tue Nov 02, 2004 6:43 am
Posts: 2704
Location: Ireland
Also online is a free (if incomplete) reference for certain topics: http://phpsecurity.readthedocs.org/en/latest/

Disclosure: I wrote it.

The problem with security books, and especially PHP security books, is that are limited by both size and topic coverage. Consider them a basic foundation only. You should also do your own research online for each topic and take a look at code written to a high standard.

P.S. This is my first post here since 2009. I see my old account and 1990s internet handle are still intact :P


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 3 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group