Security Must-Do's on a site?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Security Must-Do's on a site?

Post by Sequalit »

Hello, Im wondering if there is a list of security do's out there somewhere, somethign that says like

"If you have a form that a user submits username/password:
You must encrypt password and (insert different security features here)"

or like if you ruploading a file what must you do to make sure its not a virus or anything?
stuff like that. just a rundown on what you need to do to properly secure your website.

i know you can never keep a website 100% secure, but there are simple easy ways of keeping your entire website
from being comprimised. just cant find a list of em all... =)

thanks..

-Sequalit
User avatar
Jenk
DevNet Master
Posts: 3587
Joined: Mon Sep 19, 2005 6:24 am
Location: London

Post by Jenk »

All input, from any and every source, should be filtered, validated and escaped.

[/discussion] :p
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Re: Security Must-Do's on a site?

Post by timvw »

You can find a number of good articles at http://phpsec.org/library/..

As you already notice, validating all your input is important. The other important thing is to validate all your output (you don't want to be wide open for CSS/XSS attacks).
Sequalit
Forum Commoner
Posts: 75
Joined: Wed Oct 12, 2005 9:57 pm
Location: Texas

Post by Sequalit »

what is a CSS XSS attack?
and what does escaping do and how do you do it?

oh and thanks for the link to that site, its invaluable.
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

C or XSS = Cross Site Scripting
CSRF = Cross Site Request Forgery

If you read the articles, fe the brainbulb: php-security one you will find a couple of pratical examples..
Post Reply