Page 1 of 1
security how to-s
Posted: Sat Mar 24, 2007 6:27 pm
by AluminX
Hi,
After learing about html/xhtml css javascript, php is my next goal.
Before i get too deep into php i was wondering if i can first learn the security flaws i have to becareful with, ultimatly i would like to build
a safe and secure form. Some of the things i would like to now about are:
1) how is the information sent from client <-> server.
2) how can this information be intercepted by the client and/or other sources.
3) what can I do to avoid data interception?
4) easy way to understant encrytion(such as encryption for dummies, with pictures

and everything)
don't know if i'm asking in the right place but if you have any links, tutorials, suggestions etc it would help me very much.
Posted: Sat Mar 24, 2007 7:07 pm
by califdon
The first thing to understand is that PHP code never leaves the server. It is interpreted by the web server and (unless you make a syntax error that allows it to be misinterpreted) is never sent over the Internet. What is sent to the browser is regular HTML, CSS, Javascript, etc.
In the design of your web application, there are countless opportunities to send data that can be intercepted, in theory, at least. But that has little to do with PHP.
You can't avoid the possibility of data being intercepted, since the Internet is an open flow of packets and there are numerous "sniffer" programs that can intercept anything passing over the network of which they are a part. What you can do is use HTTPS (for Secure) protocol, which encrypts all packets. Again, this has nothing to do with PHP.
While I've never needed to use encryption in my applications, I don't think it's particularly difficult to employ. Basically, if your web server supports it, you can just make your URL something like: https:xxxx.com. Probably someone else with experience can correct me or tell you more.
Posted: Sat Mar 24, 2007 7:48 pm
by AluminX
what i acutally ment about the intercepting the information was more like:
lets say i have form on mywebsite.com/form.html like so
<form action = "login.php" method="post">
<input type="text" name="userName" id="userName"></input>
<input type="text" name="Password" id="Password"></input>
<input type="submit" name="submitInfo" id="submitInfo" ></input>
</form>
is it possible to intercept the password as the client is sending it to the server?
if yes how?
how can i secure it this information?
edit: also i'm not asking how to do this with php i understand php is executed by the server, i thought maybe people in here would know some of this stuff regardless of php being involved
maybe i'm getting way over my head and this is kind of new to me so i'm trying to understand how everything works

Posted: Sat Mar 24, 2007 8:07 pm
by John Cartwright
Data packets can be sniffed and activity monitored. How? You'll have to do that research yourself because Devnet could be held accountable. How to prevent it, you will need a security certificate, and transmit your data using SSL. To initiate the secure connection, simply change http:// to https://
Google has plenty of information on the subjet.
Posted: Sat Mar 24, 2007 10:25 pm
by AluminX
ohh thank you there is a start for me

i acutally just found alot of information about this subject

ty