thoughts
Moderator: General Moderators
thoughts
I am designing a site with some dynamic pages which interact with a mysql database. The site will allow users to login and view certain pages which will pull content from the database. The users will have the ability to modify basically only their username and password. I have created a lot of functionality for the one admin account to use. I have put in place (int) etc to force types where needed and have included mysql_real_escape_string(trim($_POST['some_variable'])) on all variables prior to being placed inside the database. Is there anything else I should be concerned with? Thanks for any thoughts.
- kaisellgren
- DevNet Resident
- Posts: 1675
- Joined: Sat Jan 07, 2006 5:52 am
- Location: Lahti, Finland.
Re: thoughts
Maybe XSS?
And how users log in? What about Session related security issues such as fixation, poisoning, forging, hijacking?
Impossible to say whether you are secure or not, because all we have got is some text describing what you have done (or you have tried to do). If you give us some piece of your script we could examine it.
And how users log in? What about Session related security issues such as fixation, poisoning, forging, hijacking?
Impossible to say whether you are secure or not, because all we have got is some text describing what you have done (or you have tried to do). If you give us some piece of your script we could examine it.
Re: thoughts
Can you point me int he right direction to perfect the areas listed in your response? Thanks.
Re: thoughts
As for sessions, along with two other needed session variables I am passing a 3rd variable which includes an encoded version of the HTTP_USER_AGENT other than that I am at a loss as to where to go next.