Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.
If expecting an integer value from outside (for ID etc) I always floor the value. If the user then type in id=admin or somesuch they would then be redirected to the page id=0. In this case this could be your homepage or even a page with "Hacking on this site is not allowed. This has been logged".
CoderGoblin wrote:"Hacking on this site is not allowed. This has been logged".
How about We understand you potential as a hacker. For futher testing of your skills, we have logged your IP and the FBI is on your way. You have 5 minutes to pack up and leave you country
Only a possible suggestion.. On an online game for instance this could be useful. If someone tries things like passing illegal values you could cancel their account. If you notice my first recommendation was the home page.
LOL... and any hacker that has been around knows doesn't get scared by texts like the ones stated, unless it's a GOV site or something like that..... hahahahahh....
CoderGoblin wrote:Only a possible suggestion.. On an online game for instance this could be useful. If someone tries things like passing illegal values you could cancel their account. If you notice my first recommendation was the home page.
The problem with this idea, is you need to be able to compensate for those who accidentally pass illegal or invalid values. For instance, if someone tries to open a broken link, the values will appear illegal - in this case you wouldn't want to ban them, just present an error page and redirect to the login page or something
IMO, the best practice is to only lock an account when someone fails to login via input boxes/forms. All else, just give a safe error message and redirect.