security how to-s

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
AluminX
Forum Newbie
Posts: 19
Joined: Sat Jul 17, 2004 9:53 am

security how to-s

Post by AluminX »

Hi,
After learing about html/xhtml css javascript, php is my next goal.
Before i get too deep into php i was wondering if i can first learn the security flaws i have to becareful with, ultimatly i would like to build
a safe and secure form. Some of the things i would like to now about are:
1) how is the information sent from client <-> server.
2) how can this information be intercepted by the client and/or other sources.
3) what can I do to avoid data interception?
4) easy way to understant encrytion(such as encryption for dummies, with pictures :P and everything)

don't know if i'm asking in the right place but if you have any links, tutorials, suggestions etc it would help me very much.
User avatar
califdon
Jack of Zircons
Posts: 4484
Joined: Thu Nov 09, 2006 8:30 pm
Location: California, USA

Post by califdon »

The first thing to understand is that PHP code never leaves the server. It is interpreted by the web server and (unless you make a syntax error that allows it to be misinterpreted) is never sent over the Internet. What is sent to the browser is regular HTML, CSS, Javascript, etc.

In the design of your web application, there are countless opportunities to send data that can be intercepted, in theory, at least. But that has little to do with PHP.

You can't avoid the possibility of data being intercepted, since the Internet is an open flow of packets and there are numerous "sniffer" programs that can intercept anything passing over the network of which they are a part. What you can do is use HTTPS (for Secure) protocol, which encrypts all packets. Again, this has nothing to do with PHP.

While I've never needed to use encryption in my applications, I don't think it's particularly difficult to employ. Basically, if your web server supports it, you can just make your URL something like: https:xxxx.com. Probably someone else with experience can correct me or tell you more.
AluminX
Forum Newbie
Posts: 19
Joined: Sat Jul 17, 2004 9:53 am

Post by AluminX »

what i acutally ment about the intercepting the information was more like:
lets say i have form on mywebsite.com/form.html like so
<form action = "login.php" method="post">
<input type="text" name="userName" id="userName"></input>
<input type="text" name="Password" id="Password"></input>
<input type="submit" name="submitInfo" id="submitInfo" ></input>
</form>
is it possible to intercept the password as the client is sending it to the server?
if yes how?
how can i secure it this information?

edit: also i'm not asking how to do this with php i understand php is executed by the server, i thought maybe people in here would know some of this stuff regardless of php being involved

maybe i'm getting way over my head and this is kind of new to me so i'm trying to understand how everything works :)
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Data packets can be sniffed and activity monitored. How? You'll have to do that research yourself because Devnet could be held accountable. How to prevent it, you will need a security certificate, and transmit your data using SSL. To initiate the secure connection, simply change http:// to https://

Google has plenty of information on the subjet.
AluminX
Forum Newbie
Posts: 19
Joined: Sat Jul 17, 2004 9:53 am

Post by AluminX »

ohh thank you there is a start for me :)
i acutally just found alot of information about this subject :lol: ty
Post Reply