Registration - Slimming wasted time w/o comprising security?
Posted: Tue Jul 15, 2008 5:19 pm
I've done a couple basic PHP/MySQL registration scripts before though just for practice and now I've essentially started working on a more refined cleaned up version that I hope will be used in at least two live projects some time in the future.
I have two major goals with the registration: reducing or eliminating wasted time typically associated with pretty much all existing registration experiences (which won't be difficult as it comes down to being a savvy designer) and ensuring that when I do so I don't compromise security.
I am testing locally and using live PHP 5.2 and MySQL 5 and will never be using older versions of either. Also these questions pertain to security but not spam. I've got the later covered but it's security in general that I'm interested in right now.
1.) When should I regex $_POST data? I presume always though it's clear things like SQL injection have been dealt with at least partially dealt with. What percentage of threats that I should be concerned about in regards to $_POST versus other threats (as far as programming goes). I have a decent understanding of permissions (CHMOD) for example. My site is coded to not display errors when the $_SERVER['HTTP_HOST'] is anything other then localhost.
2.) When a user registers I'm interested in having them automatically signed in with a session even before their account is activated. Of course things that require activation won't be accessible until their account is activated but is there any possible threat at that point in allowing someone to be signed in immediately during registration? I presume the main concern would be again some sort of injection attack that spawns errors in conjunction with how the programmed PHP handles sessions in example...?
3.) I have a power user feature where account activation is immediately available after the registration $_POST with a text input field. If you're a power user you'll receive a notification of a new email message in your inbox including the subject (such as Yahoo Messenger/Yahoo Mail). The three digit activation code is in the subject essentially allowing the newly registered user to enter in the three digits and activate their account immediately without having to go through the process of finding the activation email, waiting for the web mail pages to load, etc. I'm not worried about the issue of whether they received the email in this instance and the range is large enough that random guesses won't be effective considering I will reset the activation key once every x failed attempts. Does any one think there could be some vulnerabilities in this setup however?
4.) I was testing the registration last night, closed Firefox, reopened it this morning, and the session obviously expired. I've come across sites that allow you to remain logged in via a cookie regardless of sessions, is this advisable upon registration? What should I be concerned about in this regards? If I need to regex the hell out of everything I'd obviously need to check the cookie as well I can only presume considering I would imagine many people do not filter cookies making it a ripe target for hacking attempts?
5.) What are common mistakes made by people when they're learning PHP in conjunction with MySQL? What (if any) questions might I have missed? Any good coding practices I should consider adopting?
I have two major goals with the registration: reducing or eliminating wasted time typically associated with pretty much all existing registration experiences (which won't be difficult as it comes down to being a savvy designer) and ensuring that when I do so I don't compromise security.
I am testing locally and using live PHP 5.2 and MySQL 5 and will never be using older versions of either. Also these questions pertain to security but not spam. I've got the later covered but it's security in general that I'm interested in right now.
1.) When should I regex $_POST data? I presume always though it's clear things like SQL injection have been dealt with at least partially dealt with. What percentage of threats that I should be concerned about in regards to $_POST versus other threats (as far as programming goes). I have a decent understanding of permissions (CHMOD) for example. My site is coded to not display errors when the $_SERVER['HTTP_HOST'] is anything other then localhost.
2.) When a user registers I'm interested in having them automatically signed in with a session even before their account is activated. Of course things that require activation won't be accessible until their account is activated but is there any possible threat at that point in allowing someone to be signed in immediately during registration? I presume the main concern would be again some sort of injection attack that spawns errors in conjunction with how the programmed PHP handles sessions in example...?
3.) I have a power user feature where account activation is immediately available after the registration $_POST with a text input field. If you're a power user you'll receive a notification of a new email message in your inbox including the subject (such as Yahoo Messenger/Yahoo Mail). The three digit activation code is in the subject essentially allowing the newly registered user to enter in the three digits and activate their account immediately without having to go through the process of finding the activation email, waiting for the web mail pages to load, etc. I'm not worried about the issue of whether they received the email in this instance and the range is large enough that random guesses won't be effective considering I will reset the activation key once every x failed attempts. Does any one think there could be some vulnerabilities in this setup however?
4.) I was testing the registration last night, closed Firefox, reopened it this morning, and the session obviously expired. I've come across sites that allow you to remain logged in via a cookie regardless of sessions, is this advisable upon registration? What should I be concerned about in this regards? If I need to regex the hell out of everything I'd obviously need to check the cookie as well I can only presume considering I would imagine many people do not filter cookies making it a ripe target for hacking attempts?
5.) What are common mistakes made by people when they're learning PHP in conjunction with MySQL? What (if any) questions might I have missed? Any good coding practices I should consider adopting?