Okay, making my very first real site, and so far things are actually going quite well considering I have never used .css, .php, or mysql before and the site is extensively using all three.

My attention at this stage is to just get things working, but I fear this means I am probably programming in all sorts of security flaws. I would like to at least program with future security measures in mind if not program securely right away.

So, onto the specific questions:

1) I have some admin functions needed for non-programmers on the project to supply/edit/maintain data. This means I have to have some code somewhere with the rights to delete and edit. I have that code right now all self contained in the /admin/ folder and that folder is protected with an .htaccess file. I really don't even know what this MEANS. My hosting site is using cPanel and I used their password protect a folder option which made an .htaccess file. Is this reasonably secure? I know there are no absolutes in security. Contained in that folder are .php files that contain mysql usernames and passwords that can delete/edit rows.

2) What is a good way to pass variables? As a total newbie, using a form with post/get and putting the ?varname=value in the url are about all I know. Any good reading material to get me up to speed? I only really use these in dangerous situations when in the admin folder above.

3) Speaking of dangers, I am somewhat aware of the existance of SQL insertion attacks and use addslashes() on any variable that I use coming from a form or the url itself. Is this reasonable security as well? The login/password used outside of the admin folder only has rights to do select anyway.

4) How secure is my sourcecode? PHP is neat since in theory nobody ever sees my source code.... but is that true? How safe is the information I put inside those php tags?

5) I have put an index.php in every folder that re-directs back to the homepage (if it didn't already have an index for other reasons). Is that adequate security for keeping people from hopping around inside my sitenav and maybe finding something harmful.


Sorry that got so long, as you can see I have implemented SOME security measures as I come across them in tutorials and such, but other ones I read about are beyond the scope of my present skills to understand so they have not been implemented. Does my site sound reasonably secure or am I just wating to get nuked once I put the word out?