Security in a nutshell?
Posted: Fri Jan 03, 2014 5:09 pm
I've been studying PHP/MySQL for a little while now and believe that security is the most important thing when creating sites where users can insert data.
A friend sent me a book that breaks down security like this:
If possible, don't use globals, turn off error messages, turn off the open_base_dir, turn off allow_url_fopen, and don't use eval() or any of the similar codes...
Use locations above the root folder for important connection info and includes files if possible...
If you use folders, like an includes folder, give it a unique name, ie something like L20j2jmsA02rm...
For user input and output, use the mysql_real_escape, htmlentities, make_safe.. Sanitize BOTH input AND output..
Make sure extensions are all .php
Turn off directory listings/make sure an index file is in each folder...
Limit number of failed login attempts (for user management scripts)...
Create the DB user with limited abilities, ie only select, update, insert...
Limit and verify all input field lengths..
Use dedicated hosting...
Use POST, not GET..
Use UTF-8 encoding..
Frame breaking javascript...
Use captcha...
Lastly, create a unique token for each session and destroy the session at end.
Any other suggestions or tips?
A friend sent me a book that breaks down security like this:
If possible, don't use globals, turn off error messages, turn off the open_base_dir, turn off allow_url_fopen, and don't use eval() or any of the similar codes...
Use locations above the root folder for important connection info and includes files if possible...
If you use folders, like an includes folder, give it a unique name, ie something like L20j2jmsA02rm...
For user input and output, use the mysql_real_escape, htmlentities, make_safe.. Sanitize BOTH input AND output..
Make sure extensions are all .php
Turn off directory listings/make sure an index file is in each folder...
Limit number of failed login attempts (for user management scripts)...
Create the DB user with limited abilities, ie only select, update, insert...
Limit and verify all input field lengths..
Use dedicated hosting...
Use POST, not GET..
Use UTF-8 encoding..
Frame breaking javascript...
Use captcha...
Lastly, create a unique token for each session and destroy the session at end.
Any other suggestions or tips?