thoughts

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

thoughts

Post by kipp »

I am designing a site with some dynamic pages which interact with a mysql database. The site will allow users to login and view certain pages which will pull content from the database. The users will have the ability to modify basically only their username and password. I have created a lot of functionality for the one admin account to use. I have put in place (int) etc to force types where needed and have included mysql_real_escape_string(trim($_POST['some_variable'])) on all variables prior to being placed inside the database. Is there anything else I should be concerned with? Thanks for any thoughts.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: thoughts

Post by kaisellgren »

Maybe XSS?

And how users log in? What about Session related security issues such as fixation, poisoning, forging, hijacking?

Impossible to say whether you are secure or not, because all we have got is some text describing what you have done (or you have tried to do). If you give us some piece of your script we could examine it.
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

Re: thoughts

Post by kipp »

Can you point me int he right direction to perfect the areas listed in your response? Thanks.
kipp
Forum Commoner
Posts: 27
Joined: Fri Jan 09, 2009 1:25 pm

Re: thoughts

Post by kipp »

As for sessions, along with two other needed session variables I am passing a 3rd variable which includes an encoded version of the HTTP_USER_AGENT other than that I am at a loss as to where to go next.
Post Reply